From patchwork Thu Jul 21 13:13:37 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 106049
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id CB892B6F7F
	for <incoming@patchwork.ozlabs.org>;
	Thu, 21 Jul 2011 23:14:29 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1Qjt51-0008D2-NN; Thu, 21 Jul 2011 13:14:19 +0000
Received: from adelie.canonical.com ([91.189.90.139])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <apw@canonical.com>) id 1Qjt4Y-000814-Cd
	for kernel-team@lists.ubuntu.com; Thu, 21 Jul 2011 13:13:50 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian))
	id 1Qjt4Y-00051S-7n; Thu, 21 Jul 2011 13:13:50 +0000
Received: from [85.210.154.17] (helo=localhost.localdomain)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71)
	(envelope-from <apw@canonical.com>)
	id 1Qjt4Y-0007zP-3Y; Thu, 21 Jul 2011 13:13:50 +0000
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [maverick,
	maverick/ti-omap4 CVE 1/5] pagemap: close races with suid execve
Date: Thu, 21 Jul 2011 14:13:37 +0100
Message-Id: <1311254026-29719-8-git-send-email-apw@canonical.com>
X-Mailer: git-send-email 1.7.4.1
In-Reply-To: <1311254026-29719-1-git-send-email-apw@canonical.com>
References: <1311254026-29719-1-git-send-email-apw@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

From: Al Viro <viro@zeniv.linux.org.uk>

just use mm_for_maps()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

(cherry picked from commit ca6b0bf0e086513b9ee5efc0aa5770ecb57778af)
CVE-2011-1020
BugLink: http://bugs.launchpad.net/bugs/813026
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/proc/base.c     |    4 ++--
 fs/proc/task_mmu.c |    7 ++-----
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index d073b90..e4b77ea 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2600,7 +2600,7 @@ static const struct pid_entry tgid_base_stuff[] = {
 #ifdef CONFIG_PROC_PAGE_MONITOR
 	REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
 	REG("smaps",      S_IRUGO, proc_smaps_operations),
-	REG("pagemap",    S_IRUSR, proc_pagemap_operations),
+	REG("pagemap",    S_IRUGO, proc_pagemap_operations),
 #endif
 #ifdef CONFIG_SECURITY
 	DIR("attr",       S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
@@ -2939,7 +2939,7 @@ static const struct pid_entry tid_base_stuff[] = {
 #ifdef CONFIG_PROC_PAGE_MONITOR
 	REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
 	REG("smaps",     S_IRUGO, proc_smaps_operations),
-	REG("pagemap",    S_IRUSR, proc_pagemap_operations),
+	REG("pagemap",    S_IRUGO, proc_pagemap_operations),
 #endif
 #ifdef CONFIG_SECURITY
 	DIR("attr",      S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 0dfd815..e2292ca 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -717,7 +717,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
 		goto out;
 
 	ret = -EACCES;
-	if (!ptrace_may_access(task, PTRACE_MODE_READ))
+	mm = mm_for_maps(task);
+	if (!mm)
 		goto out_task;
 
 	ret = -EINVAL;
@@ -730,10 +731,6 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
 	if (!count)
 		goto out_task;
 
-	mm = get_task_mm(task);
-	if (!mm)
-		goto out_task;
-
 	pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
 	pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
 	ret = -ENOMEM;