<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/proc, branch linux-4.1.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>tty fix oops when rmmod 8250</title>
<updated>2018-01-17T17:55:39+00:00</updated>
<author>
<name>nixiaoming</name>
<email>nixiaoming@huawei.com</email>
</author>
<published>2017-09-15T09:45:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=817c8706ce04e19209ffa05c68b038e3c56143ec'/>
<id>817c8706ce04e19209ffa05c68b038e3c56143ec</id>
<content type='text'>
[ Upstream commit c79dde629d2027ca80329c62854a7635e623d527 ]

After rmmod 8250.ko
tty_kref_put starts kwork (release_one_tty) to release proc interface
oops when accessing driver-&gt;driver_name in proc_tty_unregister_driver

Use jprobe, found driver-&gt;driver_name point to 8250.ko
static static struct uart_driver serial8250_reg
.driver_name= serial,

Use name in proc_dir_entry instead of driver-&gt;driver_name to fix oops

test on linux 4.1.12:

BUG: unable to handle kernel paging request at ffffffffa01979de
IP: [&lt;ffffffff81310f40&gt;] strchr+0x0/0x30
PGD 1a0d067 PUD 1a0e063 PMD 851c1f067 PTE 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ... ...  [last unloaded: 8250]
CPU: 7 PID: 116 Comm: kworker/7:1 Tainted: G           O    4.1.12 #1
Hardware name: Insyde RiverForest/Type2 - Board Product Name1, BIOS NE5KV904 12/21/2015
Workqueue: events release_one_tty
task: ffff88085b684960 ti: ffff880852884000 task.ti: ffff880852884000
RIP: 0010:[&lt;ffffffff81310f40&gt;]  [&lt;ffffffff81310f40&gt;] strchr+0x0/0x30
RSP: 0018:ffff880852887c90  EFLAGS: 00010282
RAX: ffffffff81a5eca0 RBX: ffffffffa01979de RCX: 0000000000000004
RDX: ffff880852887d10 RSI: 000000000000002f RDI: ffffffffa01979de
RBP: ffff880852887cd8 R08: 0000000000000000 R09: ffff88085f5d94d0
R10: 0000000000000195 R11: 0000000000000000 R12: ffffffffa01979de
R13: ffff880852887d00 R14: ffffffffa01979de R15: ffff88085f02e840
FS:  0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa01979de CR3: 0000000001a0c000 CR4: 00000000001406e0
Stack:
 ffffffff812349b1 ffff880852887cb8 ffff880852887d10 ffff88085f5cd6c2
 ffff880852800a80 ffffffffa01979de ffff880852800a84 0000000000000010
 ffff88085bb28bd8 ffff880852887d38 ffffffff812354f0 ffff880852887d08
Call Trace:
 [&lt;ffffffff812349b1&gt;] ? __xlate_proc_name+0x71/0xd0
 [&lt;ffffffff812354f0&gt;] remove_proc_entry+0x40/0x180
 [&lt;ffffffff815f6811&gt;] ? _raw_spin_lock_irqsave+0x41/0x60
 [&lt;ffffffff813be520&gt;] ? destruct_tty_driver+0x60/0xe0
 [&lt;ffffffff81237c68&gt;] proc_tty_unregister_driver+0x28/0x40
 [&lt;ffffffff813be548&gt;] destruct_tty_driver+0x88/0xe0
 [&lt;ffffffff813be5bd&gt;] tty_driver_kref_put+0x1d/0x20
 [&lt;ffffffff813becca&gt;] release_one_tty+0x5a/0xd0
 [&lt;ffffffff81074159&gt;] process_one_work+0x139/0x420
 [&lt;ffffffff810745a1&gt;] worker_thread+0x121/0x450
 [&lt;ffffffff81074480&gt;] ? process_scheduled_works+0x40/0x40
 [&lt;ffffffff8107a16c&gt;] kthread+0xec/0x110
 [&lt;ffffffff81080000&gt;] ? tg_rt_schedulable+0x210/0x220
 [&lt;ffffffff8107a080&gt;] ? kthread_freezable_should_stop+0x80/0x80
 [&lt;ffffffff815f7292&gt;] ret_from_fork+0x42/0x70
 [&lt;ffffffff8107a080&gt;] ? kthread_freezable_should_stop+0x80/0x80

Signed-off-by: nixiaoming &lt;nixiaoming@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c79dde629d2027ca80329c62854a7635e623d527 ]

After rmmod 8250.ko
tty_kref_put starts kwork (release_one_tty) to release proc interface
oops when accessing driver-&gt;driver_name in proc_tty_unregister_driver

Use jprobe, found driver-&gt;driver_name point to 8250.ko
static static struct uart_driver serial8250_reg
.driver_name= serial,

Use name in proc_dir_entry instead of driver-&gt;driver_name to fix oops

test on linux 4.1.12:

BUG: unable to handle kernel paging request at ffffffffa01979de
IP: [&lt;ffffffff81310f40&gt;] strchr+0x0/0x30
PGD 1a0d067 PUD 1a0e063 PMD 851c1f067 PTE 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ... ...  [last unloaded: 8250]
CPU: 7 PID: 116 Comm: kworker/7:1 Tainted: G           O    4.1.12 #1
Hardware name: Insyde RiverForest/Type2 - Board Product Name1, BIOS NE5KV904 12/21/2015
Workqueue: events release_one_tty
task: ffff88085b684960 ti: ffff880852884000 task.ti: ffff880852884000
RIP: 0010:[&lt;ffffffff81310f40&gt;]  [&lt;ffffffff81310f40&gt;] strchr+0x0/0x30
RSP: 0018:ffff880852887c90  EFLAGS: 00010282
RAX: ffffffff81a5eca0 RBX: ffffffffa01979de RCX: 0000000000000004
RDX: ffff880852887d10 RSI: 000000000000002f RDI: ffffffffa01979de
RBP: ffff880852887cd8 R08: 0000000000000000 R09: ffff88085f5d94d0
R10: 0000000000000195 R11: 0000000000000000 R12: ffffffffa01979de
R13: ffff880852887d00 R14: ffffffffa01979de R15: ffff88085f02e840
FS:  0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa01979de CR3: 0000000001a0c000 CR4: 00000000001406e0
Stack:
 ffffffff812349b1 ffff880852887cb8 ffff880852887d10 ffff88085f5cd6c2
 ffff880852800a80 ffffffffa01979de ffff880852800a84 0000000000000010
 ffff88085bb28bd8 ffff880852887d38 ffffffff812354f0 ffff880852887d08
Call Trace:
 [&lt;ffffffff812349b1&gt;] ? __xlate_proc_name+0x71/0xd0
 [&lt;ffffffff812354f0&gt;] remove_proc_entry+0x40/0x180
 [&lt;ffffffff815f6811&gt;] ? _raw_spin_lock_irqsave+0x41/0x60
 [&lt;ffffffff813be520&gt;] ? destruct_tty_driver+0x60/0xe0
 [&lt;ffffffff81237c68&gt;] proc_tty_unregister_driver+0x28/0x40
 [&lt;ffffffff813be548&gt;] destruct_tty_driver+0x88/0xe0
 [&lt;ffffffff813be5bd&gt;] tty_driver_kref_put+0x1d/0x20
 [&lt;ffffffff813becca&gt;] release_one_tty+0x5a/0xd0
 [&lt;ffffffff81074159&gt;] process_one_work+0x139/0x420
 [&lt;ffffffff810745a1&gt;] worker_thread+0x121/0x450
 [&lt;ffffffff81074480&gt;] ? process_scheduled_works+0x40/0x40
 [&lt;ffffffff8107a16c&gt;] kthread+0xec/0x110
 [&lt;ffffffff81080000&gt;] ? tg_rt_schedulable+0x210/0x220
 [&lt;ffffffff8107a080&gt;] ? kthread_freezable_should_stop+0x80/0x80
 [&lt;ffffffff815f7292&gt;] ret_from_fork+0x42/0x70
 [&lt;ffffffff8107a080&gt;] ? kthread_freezable_should_stop+0x80/0x80

Signed-off-by: nixiaoming &lt;nixiaoming@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mm: larger stack guard gap, between vmas</title>
<updated>2017-06-28T22:57:15+00:00</updated>
<author>
<name>Sasha Levin</name>
<email>alexander.levin@verizon.com</email>
</author>
<published>2017-06-28T22:57:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8b18c6b2a0dde5186ed83a60c4915c0909cbeb0a'/>
<id>8b18c6b2a0dde5186ed83a60c4915c0909cbeb0a</id>
<content type='text'>
[ Upstream commit 1be7107fbe18eed3e319a6c3e83c78254b693acb ]

Stack guard page is a useful feature to reduce a risk of stack smashing
into a different mapping. We have been using a single page gap which
is sufficient to prevent having stack adjacent to a different mapping.
But this seems to be insufficient in the light of the stack usage in
userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
which is 256kB or stack strings with MAX_ARG_STRLEN.

This will become especially dangerous for suid binaries and the default
no limit for the stack size limit because those applications can be
tricked to consume a large portion of the stack and a single glibc call
could jump over the guard page. These attacks are not theoretical,
unfortunatelly.

Make those attacks less probable by increasing the stack guard gap
to 1MB (on systems with 4k pages; but make it depend on the page size
because systems with larger base pages might cap stack allocations in
the PAGE_SIZE units) which should cover larger alloca() and VLA stack
allocations. It is obviously not a full fix because the problem is
somehow inherent, but it should reduce attack space a lot.

One could argue that the gap size should be configurable from userspace,
but that can be done later when somebody finds that the new 1MB is wrong
for some special case applications.  For now, add a kernel command line
option (stack_guard_gap) to specify the stack gap size (in page units).

Implementation wise, first delete all the old code for stack guard page:
because although we could get away with accounting one extra page in a
stack vma, accounting a larger gap can break userspace - case in point,
a program run with "ulimit -S -v 20000" failed when the 1MB gap was
counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
and strict non-overcommit mode.

Instead of keeping gap inside the stack vma, maintain the stack guard
gap as a gap between vmas: using vm_start_gap() in place of vm_start
(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
places which need to respect the gap - mainly arch_get_unmapped_area(),
and and the vma tree's subtree_gap support for that.

Original-patch-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Original-patch-by: Michal Hocko &lt;mhocko@suse.com&gt;
Signed-off-by: Hugh Dickins &lt;hughd@google.com&gt;
Acked-by: Michal Hocko &lt;mhocko@suse.com&gt;
Tested-by: Helge Deller &lt;deller@gmx.de&gt; # parisc
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1be7107fbe18eed3e319a6c3e83c78254b693acb ]

Stack guard page is a useful feature to reduce a risk of stack smashing
into a different mapping. We have been using a single page gap which
is sufficient to prevent having stack adjacent to a different mapping.
But this seems to be insufficient in the light of the stack usage in
userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
which is 256kB or stack strings with MAX_ARG_STRLEN.

This will become especially dangerous for suid binaries and the default
no limit for the stack size limit because those applications can be
tricked to consume a large portion of the stack and a single glibc call
could jump over the guard page. These attacks are not theoretical,
unfortunatelly.

Make those attacks less probable by increasing the stack guard gap
to 1MB (on systems with 4k pages; but make it depend on the page size
because systems with larger base pages might cap stack allocations in
the PAGE_SIZE units) which should cover larger alloca() and VLA stack
allocations. It is obviously not a full fix because the problem is
somehow inherent, but it should reduce attack space a lot.

One could argue that the gap size should be configurable from userspace,
but that can be done later when somebody finds that the new 1MB is wrong
for some special case applications.  For now, add a kernel command line
option (stack_guard_gap) to specify the stack gap size (in page units).

Implementation wise, first delete all the old code for stack guard page:
because although we could get away with accounting one extra page in a
stack vma, accounting a larger gap can break userspace - case in point,
a program run with "ulimit -S -v 20000" failed when the 1MB gap was
counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
and strict non-overcommit mode.

Instead of keeping gap inside the stack vma, maintain the stack guard
gap as a gap between vmas: using vm_start_gap() in place of vm_start
(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
places which need to respect the gap - mainly arch_get_unmapped_area(),
and and the vma tree's subtree_gap support for that.

Original-patch-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Original-patch-by: Michal Hocko &lt;mhocko@suse.com&gt;
Signed-off-by: Hugh Dickins &lt;hughd@google.com&gt;
Acked-by: Michal Hocko &lt;mhocko@suse.com&gt;
Tested-by: Helge Deller &lt;deller@gmx.de&gt; # parisc
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>proc: add a schedule point in proc_pid_readdir()</title>
<updated>2017-06-26T02:02:21+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-01-24T23:18:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b98bab153c71520982c0f4d7460efc16f6b49a7'/>
<id>1b98bab153c71520982c0f4d7460efc16f6b49a7</id>
<content type='text'>
[ Upstream commit 3ba4bceef23206349d4130ddf140819b365de7c8 ]

We have seen proc_pid_readdir() invocations holding cpu for more than 50
ms.  Add a cond_resched() to be gentle with other tasks.

[akpm@linux-foundation.org: coding style fix]
Link: http://lkml.kernel.org/r/1484238380.15816.42.camel@edumazet-glaptop3.roam.corp.google.com
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;

Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 3ba4bceef23206349d4130ddf140819b365de7c8 ]

We have seen proc_pid_readdir() invocations holding cpu for more than 50
ms.  Add a cond_resched() to be gentle with other tasks.

[akpm@linux-foundation.org: coding style fix]
Link: http://lkml.kernel.org/r/1484238380.15816.42.camel@edumazet-glaptop3.roam.corp.google.com
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;

Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>proc: Fix unbalanced hard link numbers</title>
<updated>2017-05-17T19:08:24+00:00</updated>
<author>
<name>Takashi Iwai</name>
<email>tiwai@suse.de</email>
</author>
<published>2017-04-28T13:00:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3a9700b0709e1db2179f915d3be3a77aba29240c'/>
<id>3a9700b0709e1db2179f915d3be3a77aba29240c</id>
<content type='text'>
[ Upstream commit d66bb1607e2d8d384e53f3d93db5c18483c8c4f7 ]

proc_create_mount_point() forgot to increase the parent's nlink, and
it resulted in unbalanced hard link numbers, e.g. /proc/fs shows one
less than expected.

Fixes: eb6d38d5427b ("proc: Allow creating permanently empty directories...")
Cc: stable@vger.kernel.org
Reported-by: Tristan Ye &lt;tristan.ye@suse.com&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d66bb1607e2d8d384e53f3d93db5c18483c8c4f7 ]

proc_create_mount_point() forgot to increase the parent's nlink, and
it resulted in unbalanced hard link numbers, e.g. /proc/fs shows one
less than expected.

Fixes: eb6d38d5427b ("proc: Allow creating permanently empty directories...")
Cc: stable@vger.kernel.org
Reported-by: Tristan Ye &lt;tristan.ye@suse.com&gt;
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sysctl: Drop reference added by grab_header in proc_sys_readdir</title>
<updated>2017-03-06T22:29:17+00:00</updated>
<author>
<name>Zhou Chengming</name>
<email>zhouchengming1@huawei.com</email>
</author>
<published>2017-01-06T01:32:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=13d7adf646017517382ec541652eb7d3bc77742c'/>
<id>13d7adf646017517382ec541652eb7d3bc77742c</id>
<content type='text'>
[ Upstream commit 93362fa47fe98b62e4a34ab408c4a418432e7939 ]

Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
added by grab_header when return from !dir_emit_dots path.
It can cause any path called unregister_sysctl_table will
wait forever.

The calltrace of CVE-2016-9191:

[ 5535.960522] Call Trace:
[ 5535.963265]  [&lt;ffffffff817cdaaf&gt;] schedule+0x3f/0xa0
[ 5535.968817]  [&lt;ffffffff817d33fb&gt;] schedule_timeout+0x3db/0x6f0
[ 5535.975346]  [&lt;ffffffff817cf055&gt;] ? wait_for_completion+0x45/0x130
[ 5535.982256]  [&lt;ffffffff817cf0d3&gt;] wait_for_completion+0xc3/0x130
[ 5535.988972]  [&lt;ffffffff810d1fd0&gt;] ? wake_up_q+0x80/0x80
[ 5535.994804]  [&lt;ffffffff8130de64&gt;] drop_sysctl_table+0xc4/0xe0
[ 5536.001227]  [&lt;ffffffff8130de17&gt;] drop_sysctl_table+0x77/0xe0
[ 5536.007648]  [&lt;ffffffff8130decd&gt;] unregister_sysctl_table+0x4d/0xa0
[ 5536.014654]  [&lt;ffffffff8130deff&gt;] unregister_sysctl_table+0x7f/0xa0
[ 5536.021657]  [&lt;ffffffff810f57f5&gt;] unregister_sched_domain_sysctl+0x15/0x40
[ 5536.029344]  [&lt;ffffffff810d7704&gt;] partition_sched_domains+0x44/0x450
[ 5536.036447]  [&lt;ffffffff817d0761&gt;] ? __mutex_unlock_slowpath+0x111/0x1f0
[ 5536.043844]  [&lt;ffffffff81167684&gt;] rebuild_sched_domains_locked+0x64/0xb0
[ 5536.051336]  [&lt;ffffffff8116789d&gt;] update_flag+0x11d/0x210
[ 5536.057373]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.064186]  [&lt;ffffffff81167acb&gt;] ? cpuset_css_offline+0x1b/0x60
[ 5536.070899]  [&lt;ffffffff810fce3d&gt;] ? trace_hardirqs_on+0xd/0x10
[ 5536.077420]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.084234]  [&lt;ffffffff8115a9f5&gt;] ? css_killed_work_fn+0x25/0x220
[ 5536.091049]  [&lt;ffffffff81167ae5&gt;] cpuset_css_offline+0x35/0x60
[ 5536.097571]  [&lt;ffffffff8115aa2c&gt;] css_killed_work_fn+0x5c/0x220
[ 5536.104207]  [&lt;ffffffff810bc83f&gt;] process_one_work+0x1df/0x710
[ 5536.110736]  [&lt;ffffffff810bc7c0&gt;] ? process_one_work+0x160/0x710
[ 5536.117461]  [&lt;ffffffff810bce9b&gt;] worker_thread+0x12b/0x4a0
[ 5536.123697]  [&lt;ffffffff810bcd70&gt;] ? process_one_work+0x710/0x710
[ 5536.130426]  [&lt;ffffffff810c3f7e&gt;] kthread+0xfe/0x120
[ 5536.135991]  [&lt;ffffffff817d4baf&gt;] ret_from_fork+0x1f/0x40
[ 5536.142041]  [&lt;ffffffff810c3e80&gt;] ? kthread_create_on_node+0x230/0x230

One cgroup maintainer mentioned that "cgroup is trying to offline
a cpuset css, which takes place under cgroup_mutex.  The offlining
ends up trying to drain active usages of a sysctl table which apprently
is not happening."
The real reason is that proc_sys_readdir doesn't drop reference added
by grab_header when return from !dir_emit_dots path. So this cpuset
offline path will wait here forever.

See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13

Fixes: f0c3b5093add ("[readdir] convert procfs")
Cc: stable@vger.kernel.org
Reported-by: CAI Qian &lt;caiqian@redhat.com&gt;
Tested-by: Yang Shukui &lt;yangshukui@huawei.com&gt;
Signed-off-by: Zhou Chengming &lt;zhouchengming1@huawei.com&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 93362fa47fe98b62e4a34ab408c4a418432e7939 ]

Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
added by grab_header when return from !dir_emit_dots path.
It can cause any path called unregister_sysctl_table will
wait forever.

The calltrace of CVE-2016-9191:

[ 5535.960522] Call Trace:
[ 5535.963265]  [&lt;ffffffff817cdaaf&gt;] schedule+0x3f/0xa0
[ 5535.968817]  [&lt;ffffffff817d33fb&gt;] schedule_timeout+0x3db/0x6f0
[ 5535.975346]  [&lt;ffffffff817cf055&gt;] ? wait_for_completion+0x45/0x130
[ 5535.982256]  [&lt;ffffffff817cf0d3&gt;] wait_for_completion+0xc3/0x130
[ 5535.988972]  [&lt;ffffffff810d1fd0&gt;] ? wake_up_q+0x80/0x80
[ 5535.994804]  [&lt;ffffffff8130de64&gt;] drop_sysctl_table+0xc4/0xe0
[ 5536.001227]  [&lt;ffffffff8130de17&gt;] drop_sysctl_table+0x77/0xe0
[ 5536.007648]  [&lt;ffffffff8130decd&gt;] unregister_sysctl_table+0x4d/0xa0
[ 5536.014654]  [&lt;ffffffff8130deff&gt;] unregister_sysctl_table+0x7f/0xa0
[ 5536.021657]  [&lt;ffffffff810f57f5&gt;] unregister_sched_domain_sysctl+0x15/0x40
[ 5536.029344]  [&lt;ffffffff810d7704&gt;] partition_sched_domains+0x44/0x450
[ 5536.036447]  [&lt;ffffffff817d0761&gt;] ? __mutex_unlock_slowpath+0x111/0x1f0
[ 5536.043844]  [&lt;ffffffff81167684&gt;] rebuild_sched_domains_locked+0x64/0xb0
[ 5536.051336]  [&lt;ffffffff8116789d&gt;] update_flag+0x11d/0x210
[ 5536.057373]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.064186]  [&lt;ffffffff81167acb&gt;] ? cpuset_css_offline+0x1b/0x60
[ 5536.070899]  [&lt;ffffffff810fce3d&gt;] ? trace_hardirqs_on+0xd/0x10
[ 5536.077420]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.084234]  [&lt;ffffffff8115a9f5&gt;] ? css_killed_work_fn+0x25/0x220
[ 5536.091049]  [&lt;ffffffff81167ae5&gt;] cpuset_css_offline+0x35/0x60
[ 5536.097571]  [&lt;ffffffff8115aa2c&gt;] css_killed_work_fn+0x5c/0x220
[ 5536.104207]  [&lt;ffffffff810bc83f&gt;] process_one_work+0x1df/0x710
[ 5536.110736]  [&lt;ffffffff810bc7c0&gt;] ? process_one_work+0x160/0x710
[ 5536.117461]  [&lt;ffffffff810bce9b&gt;] worker_thread+0x12b/0x4a0
[ 5536.123697]  [&lt;ffffffff810bcd70&gt;] ? process_one_work+0x710/0x710
[ 5536.130426]  [&lt;ffffffff810c3f7e&gt;] kthread+0xfe/0x120
[ 5536.135991]  [&lt;ffffffff817d4baf&gt;] ret_from_fork+0x1f/0x40
[ 5536.142041]  [&lt;ffffffff810c3e80&gt;] ? kthread_create_on_node+0x230/0x230

One cgroup maintainer mentioned that "cgroup is trying to offline
a cpuset css, which takes place under cgroup_mutex.  The offlining
ends up trying to drain active usages of a sysctl table which apprently
is not happening."
The real reason is that proc_sys_readdir doesn't drop reference added
by grab_header when return from !dir_emit_dots path. So this cpuset
offline path will wait here forever.

See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13

Fixes: f0c3b5093add ("[readdir] convert procfs")
Cc: stable@vger.kernel.org
Reported-by: CAI Qian &lt;caiqian@redhat.com&gt;
Tested-by: Yang Shukui &lt;yangshukui@huawei.com&gt;
Signed-off-by: Zhou Chengming &lt;zhouchengming1@huawei.com&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs: Give dentry to inode_change_ok() instead of inode</title>
<updated>2016-12-23T13:56:35+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2016-12-14T12:24:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cb8e1eef351b640cfdb1a753ef44494fbf59186d'/>
<id>cb8e1eef351b640cfdb1a753ef44494fbf59186d</id>
<content type='text'>
[ Upstream commit 31051c85b5e2aaaf6315f74c72a732673632a905 ]

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

References: CVE-2015-1350
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Philipp Hahn &lt;hahn@univention.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 31051c85b5e2aaaf6315f74c72a732673632a905 ]

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

References: CVE-2015-1350
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Philipp Hahn &lt;hahn@univention.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs/proc/task_mmu.c: fix mm_access() mode parameter in pagemap_read()</title>
<updated>2016-08-12T17:27:29+00:00</updated>
<author>
<name>Kenny Keslar</name>
<email>kenny.keslar@oracle.com</email>
</author>
<published>2016-08-12T17:27:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5c576457aca8fc07bdb800a4589357801133f81b'/>
<id>5c576457aca8fc07bdb800a4589357801133f81b</id>
<content type='text'>
Backport of caaee6234d05a58c5b4d05e7bf766131b810a657 ("ptrace: use fsuid,
fsgid, effective creds for fs access checks") to v4.1 failed to update the
mode parameter in the mm_access() call in pagemap_read() to have one of the
new PTRACE_MODE_*CREDS flags.

Attempting to read any other process' pagemap results in a WARN()

WARNING: CPU: 0 PID: 883 at kernel/ptrace.c:229 __ptrace_may_access+0x14a/0x160()
denying ptrace access check without PTRACE_MODE_*CREDS
Modules linked in: loop sg e1000 i2c_piix4 ppdev virtio_balloon virtio_pci parport_pc i2c_core virtio_ring ata_generic serio_raw pata_acpi virtio parport pcspkr floppy acpi_cpufreq ip_tables ext3 mbcache jbd sd_mod ata_piix crc32c_intel libata
CPU: 0 PID: 883 Comm: cat Tainted: G        W       4.1.12-51.el7uek.x86_64 #2
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  0000000000000286 00000000619f225a ffff88003b6fbc18 ffffffff81717021
  ffff88003b6fbc70 ffffffff819be870 ffff88003b6fbc58 ffffffff8108477a
  000000003b6fbc58 0000000000000001 ffff88003d287000 0000000000000001
Call Trace:
  [&lt;ffffffff81717021&gt;] dump_stack+0x63/0x81
  [&lt;ffffffff8108477a&gt;] warn_slowpath_common+0x8a/0xc0
  [&lt;ffffffff81084805&gt;] warn_slowpath_fmt+0x55/0x70
  [&lt;ffffffff8108e57a&gt;] __ptrace_may_access+0x14a/0x160
  [&lt;ffffffff8108f372&gt;] ptrace_may_access+0x32/0x50
  [&lt;ffffffff81081bad&gt;] mm_access+0x6d/0xb0
  [&lt;ffffffff81278c81&gt;] pagemap_read+0xe1/0x360
  [&lt;ffffffff811a046b&gt;] ? lru_cache_add_active_or_unevictable+0x2b/0xa0
  [&lt;ffffffff8120d2e7&gt;] __vfs_read+0x37/0x100
  [&lt;ffffffff812b9ab4&gt;] ? security_file_permission+0x84/0xa0
  [&lt;ffffffff8120d8b6&gt;] ? rw_verify_area+0x56/0xe0
  [&lt;ffffffff8120d9c6&gt;] vfs_read+0x86/0x140
  [&lt;ffffffff8120e945&gt;] SyS_read+0x55/0xd0
  [&lt;ffffffff8171eb6e&gt;] system_call_fastpath+0x12/0x71

Fixes: ab88ce5feca4 (ptrace: use fsuid, fsgid, effective creds for fs access checks)
Signed-off-by: Kenny Keslar &lt;kenny.keslar@oracle.com&gt;
Cc: Roland McGrath &lt;roland@hack.frob.com&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Backport of caaee6234d05a58c5b4d05e7bf766131b810a657 ("ptrace: use fsuid,
fsgid, effective creds for fs access checks") to v4.1 failed to update the
mode parameter in the mm_access() call in pagemap_read() to have one of the
new PTRACE_MODE_*CREDS flags.

Attempting to read any other process' pagemap results in a WARN()

WARNING: CPU: 0 PID: 883 at kernel/ptrace.c:229 __ptrace_may_access+0x14a/0x160()
denying ptrace access check without PTRACE_MODE_*CREDS
Modules linked in: loop sg e1000 i2c_piix4 ppdev virtio_balloon virtio_pci parport_pc i2c_core virtio_ring ata_generic serio_raw pata_acpi virtio parport pcspkr floppy acpi_cpufreq ip_tables ext3 mbcache jbd sd_mod ata_piix crc32c_intel libata
CPU: 0 PID: 883 Comm: cat Tainted: G        W       4.1.12-51.el7uek.x86_64 #2
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  0000000000000286 00000000619f225a ffff88003b6fbc18 ffffffff81717021
  ffff88003b6fbc70 ffffffff819be870 ffff88003b6fbc58 ffffffff8108477a
  000000003b6fbc58 0000000000000001 ffff88003d287000 0000000000000001
Call Trace:
  [&lt;ffffffff81717021&gt;] dump_stack+0x63/0x81
  [&lt;ffffffff8108477a&gt;] warn_slowpath_common+0x8a/0xc0
  [&lt;ffffffff81084805&gt;] warn_slowpath_fmt+0x55/0x70
  [&lt;ffffffff8108e57a&gt;] __ptrace_may_access+0x14a/0x160
  [&lt;ffffffff8108f372&gt;] ptrace_may_access+0x32/0x50
  [&lt;ffffffff81081bad&gt;] mm_access+0x6d/0xb0
  [&lt;ffffffff81278c81&gt;] pagemap_read+0xe1/0x360
  [&lt;ffffffff811a046b&gt;] ? lru_cache_add_active_or_unevictable+0x2b/0xa0
  [&lt;ffffffff8120d2e7&gt;] __vfs_read+0x37/0x100
  [&lt;ffffffff812b9ab4&gt;] ? security_file_permission+0x84/0xa0
  [&lt;ffffffff8120d8b6&gt;] ? rw_verify_area+0x56/0xe0
  [&lt;ffffffff8120d9c6&gt;] vfs_read+0x86/0x140
  [&lt;ffffffff8120e945&gt;] SyS_read+0x55/0xd0
  [&lt;ffffffff8171eb6e&gt;] system_call_fastpath+0x12/0x71

Fixes: ab88ce5feca4 (ptrace: use fsuid, fsgid, effective creds for fs access checks)
Signed-off-by: Kenny Keslar &lt;kenny.keslar@oracle.com&gt;
Cc: Roland McGrath &lt;roland@hack.frob.com&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>proc: prevent accessing /proc/&lt;PID&gt;/environ until it's ready</title>
<updated>2016-07-11T03:07:18+00:00</updated>
<author>
<name>Mathias Krause</name>
<email>minipli@googlemail.com</email>
</author>
<published>2016-05-05T23:22:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=93c4863f4435023fcfdae542039860349189b334'/>
<id>93c4863f4435023fcfdae542039860349189b334</id>
<content type='text'>
[ Upstream commit 8148a73c9901a8794a50f950083c00ccf97d43b3 ]

If /proc/&lt;PID&gt;/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.

Fix this as it is done for /proc/&lt;PID&gt;/cmdline by testing env_end for
zero.  It is, apparently, intentionally set last in create_*_tables().

This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.

The expected consequence is that userland trying to access
/proc/&lt;PID&gt;/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.

Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&amp;t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Cc: Emese Revfy &lt;re.emese@gmail.com&gt;
Cc: Pax Team &lt;pageexec@freemail.hu&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Mateusz Guzik &lt;mguzik@redhat.com&gt;
Cc: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Cc: Cyrill Gorcunov &lt;gorcunov@openvz.org&gt;
Cc: Jarod Wilson &lt;jarod@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8148a73c9901a8794a50f950083c00ccf97d43b3 ]

If /proc/&lt;PID&gt;/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.

Fix this as it is done for /proc/&lt;PID&gt;/cmdline by testing env_end for
zero.  It is, apparently, intentionally set last in create_*_tables().

This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.

The expected consequence is that userland trying to access
/proc/&lt;PID&gt;/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.

Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&amp;t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause &lt;minipli@googlemail.com&gt;
Cc: Emese Revfy &lt;re.emese@gmail.com&gt;
Cc: Pax Team &lt;pageexec@freemail.hu&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Mateusz Guzik &lt;mguzik@redhat.com&gt;
Cc: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Cc: Cyrill Gorcunov &lt;gorcunov@openvz.org&gt;
Cc: Jarod Wilson &lt;jarod@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>proc: prevent stacking filesystems on top</title>
<updated>2016-06-18T20:47:32+00:00</updated>
<author>
<name>Jann Horn</name>
<email>jannh@google.com</email>
</author>
<published>2016-06-01T09:55:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c96e6bf5705254a4c93ca25d6d3c68a04fc7ab5b'/>
<id>c96e6bf5705254a4c93ca25d6d3c68a04fc7ab5b</id>
<content type='text'>
[ Upstream commit e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 ]

This prevents stacking filesystems (ecryptfs and overlayfs) from using
procfs as lower filesystem.  There is too much magic going on inside
procfs, and there is no good reason to stack stuff on top of procfs.

(For example, procfs does access checks in VFS open handlers, and
ecryptfs by design calls open handlers from a kernel thread that doesn't
drop privileges or so.)

Signed-off-by: Jann Horn &lt;jannh@google.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 ]

This prevents stacking filesystems (ecryptfs and overlayfs) from using
procfs as lower filesystem.  There is too much magic going on inside
procfs, and there is no good reason to stack stuff on top of procfs.

(For example, procfs does access checks in VFS open handlers, and
ecryptfs by design calls open handlers from a kernel thread that doesn't
drop privileges or so.)

Signed-off-by: Jann Horn &lt;jannh@google.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ptrace: use fsuid, fsgid, effective creds for fs access checks</title>
<updated>2016-04-12T02:07:35+00:00</updated>
<author>
<name>Jann Horn</name>
<email>jann@thejh.net</email>
</author>
<published>2016-01-20T23:00:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ab88ce5feca4204ecf4e7ef6c6693ff67edc2169'/>
<id>ab88ce5feca4204ecf4e7ef6c6693ff67edc2169</id>
<content type='text'>
[ Upstream commit caaee6234d05a58c5b4d05e7bf766131b810a657 ]

By checking the effective credentials instead of the real UID / permitted
capabilities, ensure that the calling process actually intended to use its
credentials.

To ensure that all ptrace checks use the correct caller credentials (e.g.
in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
flag), use two new flags and require one of them to be set.

The problem was that when a privileged task had temporarily dropped its
privileges, e.g.  by calling setreuid(0, user_uid), with the intent to
perform following syscalls with the credentials of a user, it still passed
ptrace access checks that the user would not be able to pass.

While an attacker should not be able to convince the privileged task to
perform a ptrace() syscall, this is a problem because the ptrace access
check is reused for things in procfs.

In particular, the following somewhat interesting procfs entries only rely
on ptrace access checks:

 /proc/$pid/stat - uses the check for determining whether pointers
     should be visible, useful for bypassing ASLR
 /proc/$pid/maps - also useful for bypassing ASLR
 /proc/$pid/cwd - useful for gaining access to restricted
     directories that contain files with lax permissions, e.g. in
     this scenario:
     lrwxrwxrwx root root /proc/13020/cwd -&gt; /root/foobar
     drwx------ root root /root
     drwxr-xr-x root root /root/foobar
     -rw-r--r-- root root /root/foobar/secret

Therefore, on a system where a root-owned mode 6755 binary changes its
effective credentials as described and then dumps a user-specified file,
this could be used by an attacker to reveal the memory layout of root's
processes or reveal the contents of files he is not allowed to access
(through /proc/$pid/cwd).

[akpm@linux-foundation.org: fix warning]
Signed-off-by: Jann Horn &lt;jann@thejh.net&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: Ingo Molnar &lt;mingo@redhat.com&gt;
Cc: James Morris &lt;james.l.morris@oracle.com&gt;
Cc: "Serge E. Hallyn" &lt;serge.hallyn@ubuntu.com&gt;
Cc: Andy Shevchenko &lt;andriy.shevchenko@linux.intel.com&gt;
Cc: Andy Lutomirski &lt;luto@kernel.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Cc: Willy Tarreau &lt;w@1wt.eu&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;

Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit caaee6234d05a58c5b4d05e7bf766131b810a657 ]

By checking the effective credentials instead of the real UID / permitted
capabilities, ensure that the calling process actually intended to use its
credentials.

To ensure that all ptrace checks use the correct caller credentials (e.g.
in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
flag), use two new flags and require one of them to be set.

The problem was that when a privileged task had temporarily dropped its
privileges, e.g.  by calling setreuid(0, user_uid), with the intent to
perform following syscalls with the credentials of a user, it still passed
ptrace access checks that the user would not be able to pass.

While an attacker should not be able to convince the privileged task to
perform a ptrace() syscall, this is a problem because the ptrace access
check is reused for things in procfs.

In particular, the following somewhat interesting procfs entries only rely
on ptrace access checks:

 /proc/$pid/stat - uses the check for determining whether pointers
     should be visible, useful for bypassing ASLR
 /proc/$pid/maps - also useful for bypassing ASLR
 /proc/$pid/cwd - useful for gaining access to restricted
     directories that contain files with lax permissions, e.g. in
     this scenario:
     lrwxrwxrwx root root /proc/13020/cwd -&gt; /root/foobar
     drwx------ root root /root
     drwxr-xr-x root root /root/foobar
     -rw-r--r-- root root /root/foobar/secret

Therefore, on a system where a root-owned mode 6755 binary changes its
effective credentials as described and then dumps a user-specified file,
this could be used by an attacker to reveal the memory layout of root's
processes or reveal the contents of files he is not allowed to access
(through /proc/$pid/cwd).

[akpm@linux-foundation.org: fix warning]
Signed-off-by: Jann Horn &lt;jann@thejh.net&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: Ingo Molnar &lt;mingo@redhat.com&gt;
Cc: James Morris &lt;james.l.morris@oracle.com&gt;
Cc: "Serge E. Hallyn" &lt;serge.hallyn@ubuntu.com&gt;
Cc: Andy Shevchenko &lt;andriy.shevchenko@linux.intel.com&gt;
Cc: Andy Lutomirski &lt;luto@kernel.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Cc: Willy Tarreau &lt;w@1wt.eu&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;

Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
