From patchwork Tue Oct 4 17:52:37 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [hardy,CVE,1/1] proc: restrict access to /proc/PID/io Date: Tue, 04 Oct 2011 07:52:37 -0000 From: Andy Whitcroft X-Patchwork-Id: 117677 Message-Id: <1317750762-19278-2-git-send-email-apw@canonical.com> To: kernel-team@lists.ubuntu.com Cc: Andy Whitcroft From: Vasiliy Kulikov /proc/PID/io may be used for gathering private information. E.g. for openssh and vsftpd daemons wchars/rchars may be used to learn the precise password length. Restrict it to processes being able to ptrace the target process. ptrace_may_access() is needed to prevent keeping open file descriptor of "io" file, executing setuid binary and gathering io information of the setuid'ed process. Signed-off-by: Vasiliy Kulikov Signed-off-by: Linus Torvalds (backported from commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51) CVE-2011-2495 BugLink: http://bugs.launchpad.net/bugs/866025 Signed-off-by: Andy Whitcroft --- fs/proc/base.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index a68a4ba..7b9485b 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2256,6 +2256,9 @@ static int proc_base_fill_cache(struct file *filp, void *dirent, #ifdef CONFIG_TASK_IO_ACCOUNTING static int proc_pid_io_accounting(struct task_struct *task, char *buffer) { + if (!ptrace_may_attach(task)) + return -EACCES; + return sprintf(buffer, #ifdef CONFIG_TASK_XACCT "rchar: %llu\n" @@ -2342,7 +2345,7 @@ static const struct pid_entry tgid_base_stuff[] = { REG("coredump_filter", S_IRUGO|S_IWUSR, coredump_filter), #endif #ifdef CONFIG_TASK_IO_ACCOUNTING - INF("io", S_IRUGO, pid_io_accounting), + INF("io", S_IRUSR, pid_io_accounting), #endif };