From patchwork Thu Jul 21 13:13:31 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 106044
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id F030CB6F80
	for <incoming@patchwork.ozlabs.org>;
	Thu, 21 Jul 2011 23:14:13 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1Qjt4c-000823-B1; Thu, 21 Jul 2011 13:13:54 +0000
Received: from adelie.canonical.com ([91.189.90.139])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <apw@canonical.com>) id 1Qjt4X-00080U-3t
	for kernel-team@lists.ubuntu.com; Thu, 21 Jul 2011 13:13:49 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian))
	id 1Qjt4W-00050O-VR; Thu, 21 Jul 2011 13:13:48 +0000
Received: from [85.210.154.17] (helo=localhost.localdomain)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71)
	(envelope-from <apw@canonical.com>)
	id 1Qjt4W-0007zP-R9; Thu, 21 Jul 2011 13:13:48 +0000
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [hardy CVE 1/1] close races in /proc/*/{environ, auxv},
	CVE-2011-1020
Date: Thu, 21 Jul 2011 14:13:31 +0100
Message-Id: <1311254026-29719-2-git-send-email-apw@canonical.com>
X-Mailer: git-send-email 1.7.4.1
In-Reply-To: <1311254026-29719-1-git-send-email-apw@canonical.com>
References: <1311254026-29719-1-git-send-email-apw@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

Equivalent to:
	commit ec6fd8a4355cda81cd9f06bebc048e83eb514ac7
	commit d6f64b89d7ff22ce05896ab4a93a653e8d0b123d
	commit 2fadaef41283aad7100fa73f01998cddaca25833

Note that the locking is looser than that in upstream this may leaves
a small window which may be exploitable, that said the locks which are
used to ensure there is no window are not in existance back in hardy.
Indeed the races in exec which they are introduced to fix are also present.

CVE-2011-1020
BugLink: http://bugs.launchpad.net/bugs/813026
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/proc/base.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 338097a..a68a4ba 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -222,6 +222,24 @@ out:
 	return NULL;
 }
 
+struct mm_struct *mm_for_maps2(struct task_struct *task)
+{
+	struct mm_struct *mm = get_task_mm(task);
+	if (!mm)
+		return NULL;
+	task_lock(task);
+	if (task->mm != mm)
+		goto out;
+	if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
+		goto out;
+	task_unlock(task);
+	return mm;
+out:
+	task_unlock(task);
+	mmput(mm);
+	return NULL;
+}
+
 static int proc_pid_cmdline(struct task_struct *task, char * buffer)
 {
 	int res = 0;
@@ -262,7 +280,7 @@ out:
 static int proc_pid_auxv(struct task_struct *task, char *buffer)
 {
 	int res = 0;
-	struct mm_struct *mm = get_task_mm(task);
+	struct mm_struct *mm = mm_for_maps2(task);
 	if (mm) {
 		unsigned int nwords = 0;
 		do
@@ -827,9 +845,6 @@ static ssize_t environ_read(struct file *file, char __user *buf,
 	if (!task)
 		goto out_no_task;
 
-	if (!ptrace_may_attach(task))
-		goto out;
-
 	ret = -ENOMEM;
 	page = (char *)__get_free_page(GFP_TEMPORARY);
 	if (!page)
@@ -837,7 +852,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
 
 	ret = 0;
 
-	mm = get_task_mm(task);
+	mm = mm_for_maps2(task);
 	if (!mm)
 		goto out_free;