git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Willy Tarreau <w@1wt.eu>
	Fri, 11 May 2018 06:11:44 +0000 (08:11 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 17 Dec 2018 20:55:17 +0000 (21:55 +0100)
commit	adc143b97d06a3305707726e69b4247db050cb88
tree	68f85d4925fbd6f75cc7adf124482da5afb52007	tree \| snapshot
parent	56941bb6400ca6ed0fdcaaa1f8c8183234bf199c	commit \| diff

proc: do not access cmdline nor environ from file-backed areas

commit 7f7ccc2ccc2e70c6054685f5e3522efa81556830 upstream.

proc_pid_cmdline_read() and environ_read() directly access the target
process' VM to retrieve the command line and environment. If this
process remaps these areas onto a file via mmap(), the requesting
process may experience various issues such as extra delays if the
underlying device is slow to respond.

Let's simply refuse to access file-backed areas in these functions.
For this we add a new FOLL_ANON gup flag that is passed to all calls
to access_remote_vm(). The code already takes care of such failures
(including unmapped areas). Accesses via /proc/pid/mem were not
changed though.

This was assigned CVE-2018-1120.

Note for stable backports: the patch may apply to kernels prior to 4.11
but silently miss one location; it must be checked that no call to
access_remote_vm() keeps zero as the last argument.

Reported-by: Qualys Security Advisory <qsa@qualys.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 4.4:
- Update the extra call to access_remote_vm() from proc_pid_cmdline_read()
- Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/proc/base.c		diff \| blob \| blame \| history
include/linux/mm.h		diff \| blob \| blame \| history
mm/gup.c		diff \| blob \| blame \| history