From c1c186fd627f69cb4c02c5f4f3b6bf3d1b65fcde Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Fri, 25 Jan 2019 16:16:10 +0100
Subject: proc: CVE-2018-17972

proc: restrict kernel stack dumps to root

References:
https://nvd.nist.gov/vuln/detail/CVE-2018-17972
https://marc.info/?l=linux-fsdevel&m=153806242024956&w=2

Change-Id: I20b7879d32e4485e92e4952be90cbb71bd7acfdb
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
 patches/cve/4.14.x.scc                             |  2 +
 ...-proc-restrict-kernel-stack-dumps-to-root.patch | 79 ++++++++++++++++++++++
 2 files changed, 81 insertions(+)
 create mode 100644 patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index 78e3e2d..26e55cf 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -2,3 +2,5 @@
 patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
 #CVEs fixed in 4.14.73:
 patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
+#CVEs fixed in 4.14.75:
+patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
diff --git a/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
new file mode 100644
index 0000000..9daec53
--- /dev/null
+++ b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
@@ -0,0 +1,79 @@
+From f8566a92ab75d442a823453414c6158b0b3c5ce7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 5 Oct 2018 15:51:58 -0700
+Subject: [PATCH] proc: restrict kernel stack dumps to root
+
+commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.
+
+Currently, you can use /proc/self/task/*/stack to cause a stack walk on
+a task you control while it is running on another CPU.  That means that
+the stack can change under the stack walker.  The stack walker does
+have guards against going completely off the rails and into random
+kernel memory, but it can interpret random data from your kernel stack
+as instruction pointers and stack pointers.  This can cause exposure of
+kernel stack contents to userspace.
+
+Restrict the ability to inspect kernel stacks of arbitrary tasks to root
+in order to prevent a local attacker from exploiting racy stack unwinding
+to leak kernel task stack contents.  See the added comment for a longer
+rationale.
+
+There don't seem to be any users of this userspace API that can't
+gracefully bail out if reading from the file fails.  Therefore, I believe
+that this change is unlikely to break things.  In the case that this patch
+does end up needing a revert, the next-best solution might be to fake a
+single-entry stack based on wchan.
+
+CVE: CVE-2018-17972
+Upstream-Status: Backport
+
+Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
+Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Ken Chen <kenchen@google.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/proc/base.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index c5c42f3e33d1..9063738ff1f0 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -431,6 +431,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
+ 	int err;
+ 	int i;
+ 
++	/*
++	 * The ability to racily run the kernel stack unwinder on a running task
++	 * and then observe the unwinder output is scary; while it is useful for
++	 * debugging kernel issues, it can also allow an attacker to leak kernel
++	 * stack contents.
++	 * Doing this in a manner that is at least safe from races would require
++	 * some work to ensure that the remote task can not be scheduled; and
++	 * even then, this would still expose the unwinder as local attack
++	 * surface.
++	 * Therefore, this interface is restricted to root.
++	 */
++	if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
++		return -EACCES;
++
+ 	entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
+ 	if (!entries)
+ 		return -ENOMEM;
+-- 
+2.19.2
+
-- 
cgit v1.2.3-54-g00ecf