From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 9 Oct 2018 13:42:28 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.4.160~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=25f762e2d07ac8c109ed9c7251f996f0841b9d62;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	make-file-credentials-available-to-the-seqfile-interfaces.patch
	proc-restrict-kernel-stack-dumps-to-root.patch
---

diff --git a/queue-3.18/make-file-credentials-available-to-the-seqfile-interfaces.patch b/queue-3.18/make-file-credentials-available-to-the-seqfile-interfaces.patch
new file mode 100644
index 00000000000..260886aaca6
--- /dev/null
+++ b/queue-3.18/make-file-credentials-available-to-the-seqfile-interfaces.patch
@@ -0,0 +1,94 @@
+From 34dbbcdbf63360661ff7bda6c5f52f99ac515f92 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 14 Apr 2016 11:22:00 -0700
+Subject: Make file credentials available to the seqfile interfaces
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 34dbbcdbf63360661ff7bda6c5f52f99ac515f92 upstream.
+
+A lot of seqfile users seem to be using things like %pK that uses the
+credentials of the current process, but that is actually completely
+wrong for filesystem interfaces.
+
+The unix semantics for permission checking files is to check permissions
+at _open_ time, not at read or write time, and that is not just a small
+detail: passing off stdin/stdout/stderr to a suid application and making
+the actual IO happen in privileged context is a classic exploit
+technique.
+
+So if we want to be able to look at permissions at read time, we need to
+use the file open credentials, not the current ones.  Normal file
+accesses can just use "f_cred" (or any of the helper functions that do
+that, like file_ns_capable()), but the seqfile interfaces do not have
+any such options.
+
+It turns out that seq_file _does_ save away the user_ns information of
+the file, though.  Since user_ns is just part of the full credential
+information, replace that special case with saving off the cred pointer
+instead, and suddenly seq_file has all the permission information it
+needs.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/seq_file.c            |    7 ++++---
+ include/linux/seq_file.h |   13 ++++---------
+ 2 files changed, 8 insertions(+), 12 deletions(-)
+
+--- a/fs/seq_file.c
++++ b/fs/seq_file.c
+@@ -69,9 +69,10 @@ int seq_open(struct file *file, const st
+ 	memset(p, 0, sizeof(*p));
+ 	mutex_init(&p->lock);
+ 	p->op = op;
+-#ifdef CONFIG_USER_NS
+-	p->user_ns = file->f_cred->user_ns;
+-#endif
++
++	// No refcounting: the lifetime of 'p' is constrained
++	// to the lifetime of the file.
++	p->file = file;
+ 
+ 	/*
+ 	 * Wrappers around seq_open(e.g. swaps_open) need to be
+--- a/include/linux/seq_file.h
++++ b/include/linux/seq_file.h
+@@ -7,13 +7,10 @@
+ #include <linux/mutex.h>
+ #include <linux/cpumask.h>
+ #include <linux/nodemask.h>
++#include <linux/fs.h>
++#include <linux/cred.h>
+ 
+ struct seq_operations;
+-struct file;
+-struct path;
+-struct inode;
+-struct dentry;
+-struct user_namespace;
+ 
+ struct seq_file {
+ 	char *buf;
+@@ -27,9 +24,7 @@ struct seq_file {
+ 	struct mutex lock;
+ 	const struct seq_operations *op;
+ 	int poll_event;
+-#ifdef CONFIG_USER_NS
+-	struct user_namespace *user_ns;
+-#endif
++	const struct file *file;
+ 	void *private;
+ };
+ 
+@@ -151,7 +146,7 @@ int seq_put_decimal_ll(struct seq_file *
+ static inline struct user_namespace *seq_user_ns(struct seq_file *seq)
+ {
+ #ifdef CONFIG_USER_NS
+-	return seq->user_ns;
++	return seq->file->f_cred->user_ns;
+ #else
+ 	extern struct user_namespace init_user_ns;
+ 	return &init_user_ns;
diff --git a/queue-3.18/proc-restrict-kernel-stack-dumps-to-root.patch b/queue-3.18/proc-restrict-kernel-stack-dumps-to-root.patch
new file mode 100644
index 00000000000..b04455da97f
--- /dev/null
+++ b/queue-3.18/proc-restrict-kernel-stack-dumps-to-root.patch
@@ -0,0 +1,73 @@
+From f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 5 Oct 2018 15:51:58 -0700
+Subject: proc: restrict kernel stack dumps to root
+
+From: Jann Horn <jannh@google.com>
+
+commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.
+
+Currently, you can use /proc/self/task/*/stack to cause a stack walk on
+a task you control while it is running on another CPU.  That means that
+the stack can change under the stack walker.  The stack walker does
+have guards against going completely off the rails and into random
+kernel memory, but it can interpret random data from your kernel stack
+as instruction pointers and stack pointers.  This can cause exposure of
+kernel stack contents to userspace.
+
+Restrict the ability to inspect kernel stacks of arbitrary tasks to root
+in order to prevent a local attacker from exploiting racy stack unwinding
+to leak kernel task stack contents.  See the added comment for a longer
+rationale.
+
+There don't seem to be any users of this userspace API that can't
+gracefully bail out if reading from the file fails.  Therefore, I believe
+that this change is unlikely to break things.  In the case that this patch
+does end up needing a revert, the next-best solution might be to fake a
+single-entry stack based on wchan.
+
+Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
+Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Ken Chen <kenchen@google.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -279,6 +279,20 @@ static int proc_pid_stack(struct seq_fil
+ 	int err;
+ 	int i;
+ 
++	/*
++	 * The ability to racily run the kernel stack unwinder on a running task
++	 * and then observe the unwinder output is scary; while it is useful for
++	 * debugging kernel issues, it can also allow an attacker to leak kernel
++	 * stack contents.
++	 * Doing this in a manner that is at least safe from races would require
++	 * some work to ensure that the remote task can not be scheduled; and
++	 * even then, this would still expose the unwinder as local attack
++	 * surface.
++	 * Therefore, this interface is restricted to root.
++	 */
++	if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
++		return -EACCES;
++
+ 	entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
+ 	if (!entries)
+ 		return -ENOMEM;
diff --git a/queue-3.18/series b/queue-3.18/series
index 1adb741a07b..f4038388b1e 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -97,3 +97,5 @@ smb2-fix-missing-files-in-root-share-directory-listing.patch
 crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch
 ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch
 dm-thin-metadata-fix-__udivdi3-undefined-on-32-bit.patch
+make-file-credentials-available-to-the-seqfile-interfaces.patch
+proc-restrict-kernel-stack-dumps-to-root.patch