--- /dev/null
+From 34dbbcdbf63360661ff7bda6c5f52f99ac515f92 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 14 Apr 2016 11:22:00 -0700
+Subject: Make file credentials available to the seqfile interfaces
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 34dbbcdbf63360661ff7bda6c5f52f99ac515f92 upstream.
+
+A lot of seqfile users seem to be using things like %pK that uses the
+credentials of the current process, but that is actually completely
+wrong for filesystem interfaces.
+
+The unix semantics for permission checking files is to check permissions
+at _open_ time, not at read or write time, and that is not just a small
+detail: passing off stdin/stdout/stderr to a suid application and making
+the actual IO happen in privileged context is a classic exploit
+technique.
+
+So if we want to be able to look at permissions at read time, we need to
+use the file open credentials, not the current ones. Normal file
+accesses can just use "f_cred" (or any of the helper functions that do
+that, like file_ns_capable()), but the seqfile interfaces do not have
+any such options.
+
+It turns out that seq_file _does_ save away the user_ns information of
+the file, though. Since user_ns is just part of the full credential
+information, replace that special case with saving off the cred pointer
+instead, and suddenly seq_file has all the permission information it
+needs.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/seq_file.c | 7 ++++---
+ include/linux/seq_file.h | 13 ++++---------
+ 2 files changed, 8 insertions(+), 12 deletions(-)
+
+--- a/fs/seq_file.c
++++ b/fs/seq_file.c
+@@ -69,9 +69,10 @@ int seq_open(struct file *file, const st
+ memset(p, 0, sizeof(*p));
+ mutex_init(&p->lock);
+ p->op = op;
+-#ifdef CONFIG_USER_NS
+- p->user_ns = file->f_cred->user_ns;
+-#endif
++
++ // No refcounting: the lifetime of 'p' is constrained
++ // to the lifetime of the file.
++ p->file = file;
+
+ /*
+ * Wrappers around seq_open(e.g. swaps_open) need to be
+--- a/include/linux/seq_file.h
++++ b/include/linux/seq_file.h
+@@ -7,13 +7,10 @@
+ #include <linux/mutex.h>
+ #include <linux/cpumask.h>
+ #include <linux/nodemask.h>
++#include <linux/fs.h>
++#include <linux/cred.h>
+
+ struct seq_operations;
+-struct file;
+-struct path;
+-struct inode;
+-struct dentry;
+-struct user_namespace;
+
+ struct seq_file {
+ char *buf;
+@@ -27,9 +24,7 @@ struct seq_file {
+ struct mutex lock;
+ const struct seq_operations *op;
+ int poll_event;
+-#ifdef CONFIG_USER_NS
+- struct user_namespace *user_ns;
+-#endif
++ const struct file *file;
+ void *private;
+ };
+
+@@ -151,7 +146,7 @@ int seq_put_decimal_ll(struct seq_file *
+ static inline struct user_namespace *seq_user_ns(struct seq_file *seq)
+ {
+ #ifdef CONFIG_USER_NS
+- return seq->user_ns;
++ return seq->file->f_cred->user_ns;
+ #else
+ extern struct user_namespace init_user_ns;
+ return &init_user_ns;
--- /dev/null
+From f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 5 Oct 2018 15:51:58 -0700
+Subject: proc: restrict kernel stack dumps to root
+
+From: Jann Horn <jannh@google.com>
+
+commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.
+
+Currently, you can use /proc/self/task/*/stack to cause a stack walk on
+a task you control while it is running on another CPU. That means that
+the stack can change under the stack walker. The stack walker does
+have guards against going completely off the rails and into random
+kernel memory, but it can interpret random data from your kernel stack
+as instruction pointers and stack pointers. This can cause exposure of
+kernel stack contents to userspace.
+
+Restrict the ability to inspect kernel stacks of arbitrary tasks to root
+in order to prevent a local attacker from exploiting racy stack unwinding
+to leak kernel task stack contents. See the added comment for a longer
+rationale.
+
+There don't seem to be any users of this userspace API that can't
+gracefully bail out if reading from the file fails. Therefore, I believe
+that this change is unlikely to break things. In the case that this patch
+does end up needing a revert, the next-best solution might be to fake a
+single-entry stack based on wchan.
+
+Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
+Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Ken Chen <kenchen@google.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -279,6 +279,20 @@ static int proc_pid_stack(struct seq_fil
+ int err;
+ int i;
+
++ /*
++ * The ability to racily run the kernel stack unwinder on a running task
++ * and then observe the unwinder output is scary; while it is useful for
++ * debugging kernel issues, it can also allow an attacker to leak kernel
++ * stack contents.
++ * Doing this in a manner that is at least safe from races would require
++ * some work to ensure that the remote task can not be scheduled; and
++ * even then, this would still expose the unwinder as local attack
++ * surface.
++ * Therefore, this interface is restricted to root.
++ */
++ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
++ return -EACCES;
++
+ entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch
ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch
dm-thin-metadata-fix-__udivdi3-undefined-on-32-bit.patch
+make-file-credentials-available-to-the-seqfile-interfaces.patch
+proc-restrict-kernel-stack-dumps-to-root.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
