git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Vasiliy Kulikov <segoon@openwall.com>
	Wed, 5 Oct 2011 00:43:52 +0000 (11:43 +1100)
committer	Stephen Rothwell <sfr@canb.auug.org.au>
	Thu, 13 Oct 2011 06:49:58 +0000 (17:49 +1100)
commit	31c10cbe114e74b29bd1f1748d285d299500a2ff
tree	1e54917dd5e0b7e7f1af93889d1678f070d6e20f	tree \| snapshot
parent	19b46420d8e61cba7a7ba58752ab8c6dd3e7722b	commit \| diff

proc: fix races against execve() of /proc/PID/fd**

fd* files are restricted to the task's owner, and other users may not get
direct access to them.  But one may open any of these files and run any
setuid program, keeping opened file descriptors.  As there are permission
checks on open(), but not on readdir() and read(), operations on the kept
file descriptors will not be checked.  It makes it possible to violate
procfs permission model.

Reading fdinfo/* may disclosure current fds' position and flags, reading
directory contents of fdinfo/ and fd/ may disclosure the number of opened
files by the target task.  This information is not sensible per se, but it
can reveal some private information (like length of a password stored in a
file) under certain conditions.

Used existing (un)lock_trace functions to check for ptrace_may_access(),
but instead of using EPERM return code from it use EACCES to be consistent
with existing proc_pid_follow_link()/proc_pid_readlink() return code.  If
they differ, attacker can guess what fds exist by analyzing stat() return
code.  Patched handlers: stat() for fd/*, stat() and read() for fdindo/*,
readdir() and lookup() for fd/ and fdinfo/.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>