proc: CVE-2018-17972

proc: restrict kernel stack dumps to root References: https://nvd.nist.gov/vuln/detail/CVE-2018-17972 https://marc.info/?l=linux-fsdevel&m=153806242024956&w=2 Change-Id: I20b7879d32e4485e92e4952be90cbb71bd7acfdb Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-01-25 16:16:10 +0100
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-02-01 16:23:59 +0100
commit: c1c186fd627f69cb4c02c5f4f3b6bf3d1b65fcde (patch)
tree: faba3679e391e7119dc3970a402a496c1eb939f1
parent: 5dd4ff4afafddef0d56795990f9190d19326bac7 (diff)
download: enea-kernel-cache-c1c186fd627f69cb4c02c5f4f3b6bf3d1b65fcde.tar.gz
2 files changed, 81 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index 78e3e2d..26e55cf 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -2,3 +2,5 @@
 patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
 #CVEs fixed in 4.14.73:
 patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
+#CVEs fixed in 4.14.75:
+patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
diff --git a/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
new file mode 100644
index 0000000..9daec53
--- /dev/null
+++ b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
@@ -0,0 +1,79 @@
+From f8566a92ab75d442a823453414c6158b0b3c5ce7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 5 Oct 2018 15:51:58 -0700
+Subject: [PATCH] proc: restrict kernel stack dumps to root
+commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.
+Currently, you can use /proc/self/task/*/stack to cause a stack walk on
+a task you control while it is running on another CPU.  That means that
+the stack can change under the stack walker.  The stack walker does
+have guards against going completely off the rails and into random
+kernel memory, but it can interpret random data from your kernel stack
+as instruction pointers and stack pointers.  This can cause exposure of
+kernel stack contents to userspace.
+Restrict the ability to inspect kernel stacks of arbitrary tasks to root
+in order to prevent a local attacker from exploiting racy stack unwinding
+to leak kernel task stack contents.  See the added comment for a longer
+rationale.
+There don't seem to be any users of this userspace API that can't
+gracefully bail out if reading from the file fails.  Therefore, I believe
+that this change is unlikely to break things.  In the case that this patch
+does end up needing a revert, the next-best solution might be to fake a
+single-entry stack based on wchan.
+CVE: CVE-2018-17972
+Upstream-Status: Backport
+Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
+Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Ken Chen <kenchen@google.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/proc/base.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index c5c42f3e33d1..9063738ff1f0 100644
+--- a/fs/proc/base.c
+++ b/fs/proc/base.c
+@@ -431,6 +431,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
+        int err;
+        int i;
+ 
+       /*
+        * The ability to racily run the kernel stack unwinder on a running task
+        * and then observe the unwinder output is scary; while it is useful for
+        * debugging kernel issues, it can also allow an attacker to leak kernel
+        * stack contents.
+        * Doing this in a manner that is at least safe from races would require
+        * some work to ensure that the remote task can not be scheduled; and
+        * even then, this would still expose the unwinder as local attack
+        * surface.
+        * Therefore, this interface is restricted to root.
+        */
+       if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
+               return -EACCES;
+
+        entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
+        if (!entries)
+                return -ENOMEM;
+-- 
+2.19.2
author	Andreas Wellving <andreas.wellving@enea.com>	2019-01-25 16:16:10 +0100
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-02-01 16:23:59 +0100
commit	c1c186fd627f69cb4c02c5f4f3b6bf3d1b65fcde (patch)
tree	faba3679e391e7119dc3970a402a496c1eb939f1
parent	5dd4ff4afafddef0d56795990f9190d19326bac7 (diff)
download	enea-kernel-cache-c1c186fd627f69cb4c02c5f4f3b6bf3d1b65fcde.tar.gz

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index 78e3e2d..26e55cf 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc
@@ -2,3 +2,5 @@
2	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch	2	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
3	#CVEs fixed in 4.14.73:	3	#CVEs fixed in 4.14.73:
4	patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch	4	patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
		5	#CVEs fixed in 4.14.75:
		6	patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch


diff --git a/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch new file mode 100644 index 0000000..9daec53 --- /dev/null +++ b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
@@ -0,0 +1,79 @@
		1	From f8566a92ab75d442a823453414c6158b0b3c5ce7 Mon Sep 17 00:00:00 2001
		2	From: Jann Horn <jannh@google.com>
		3	Date: Fri, 5 Oct 2018 15:51:58 -0700
		4	Subject: [PATCH] proc: restrict kernel stack dumps to root
		5
		6	commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.
		7
		8	Currently, you can use /proc/self/task/*/stack to cause a stack walk on
		9	a task you control while it is running on another CPU. That means that
		10	the stack can change under the stack walker. The stack walker does
		11	have guards against going completely off the rails and into random
		12	kernel memory, but it can interpret random data from your kernel stack
		13	as instruction pointers and stack pointers. This can cause exposure of
		14	kernel stack contents to userspace.
		15
		16	Restrict the ability to inspect kernel stacks of arbitrary tasks to root
		17	in order to prevent a local attacker from exploiting racy stack unwinding
		18	to leak kernel task stack contents. See the added comment for a longer
		19	rationale.
		20
		21	There don't seem to be any users of this userspace API that can't
		22	gracefully bail out if reading from the file fails. Therefore, I believe
		23	that this change is unlikely to break things. In the case that this patch
		24	does end up needing a revert, the next-best solution might be to fake a
		25	single-entry stack based on wchan.
		26
		27	CVE: CVE-2018-17972
		28	Upstream-Status: Backport
		29
		30	Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
		31	Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
		32	Signed-off-by: Jann Horn <jannh@google.com>
		33	Acked-by: Kees Cook <keescook@chromium.org>
		34	Cc: Alexey Dobriyan <adobriyan@gmail.com>
		35	Cc: Ken Chen <kenchen@google.com>
		36	Cc: Will Deacon <will.deacon@arm.com>
		37	Cc: Laura Abbott <labbott@redhat.com>
		38	Cc: Andy Lutomirski <luto@amacapital.net>
		39	Cc: Catalin Marinas <catalin.marinas@arm.com>
		40	Cc: Josh Poimboeuf <jpoimboe@redhat.com>
		41	Cc: Thomas Gleixner <tglx@linutronix.de>
		42	Cc: Ingo Molnar <mingo@redhat.com>
		43	Cc: "H . Peter Anvin" <hpa@zytor.com>
		44	Cc: <stable@vger.kernel.org>
		45	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
		46	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		47	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		48	---
		49	fs/proc/base.c \| 14 ++++++++++++++
		50	1 file changed, 14 insertions(+)
		51
		52	diff --git a/fs/proc/base.c b/fs/proc/base.c
		53	index c5c42f3e33d1..9063738ff1f0 100644
		54	--- a/fs/proc/base.c
		55	+++ b/fs/proc/base.c
		56	@@ -431,6 +431,20 @@ static int proc_pid_stack(struct seq_file m, struct pid_namespace ns,
		57	int err;
		58	int i;
		59
		60	+ /*
		61	+ * The ability to racily run the kernel stack unwinder on a running task
		62	+ * and then observe the unwinder output is scary; while it is useful for
		63	+ * debugging kernel issues, it can also allow an attacker to leak kernel
		64	+ * stack contents.
		65	+ * Doing this in a manner that is at least safe from races would require
		66	+ * some work to ensure that the remote task can not be scheduled; and
		67	+ * even then, this would still expose the unwinder as local attack
		68	+ * surface.
		69	+ * Therefore, this interface is restricted to root.
		70	+ */
		71	+ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
		72	+ return -EACCES;
		73	+
		74	entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
		75	if (!entries)
		76	return -ENOMEM;
		77	--
		78	2.19.2
		79