diff options
author | Jake Edge <jake@lwn.net> | 2009-05-04 20:51:14 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-05-05 00:14:23 +0200 |
commit | f83ce3e6b02d5e48b3a43b001390e2b58820389d (patch) | |
tree | 71c57abf4f9d259f5bfa22deaf724db85738f862 /fs/proc/base.c | |
parent | NFS: Close page_mkwrite() races (diff) | |
download | linux-f83ce3e6b02d5e48b3a43b001390e2b58820389d.tar.xz linux-f83ce3e6b02d5e48b3a43b001390e2b58820389d.zip |
proc: avoid information leaks to non-privileged processes
By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
only allow processes that can ptrace() a given process to see information
that might be used to bypass address space layout randomization (ASLR).
These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
as the non-symbolic output from /proc/pid/wchan.
ASLR can be bypassed by sampling eip as shown by the proof-of-concept
code at http://code.google.com/p/fuzzyaslr/ As part of a presentation
(http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were
also noted as possibly usable information leaks as well. The
start_stack address also leaks potentially useful information.
Cc: Stable Team <stable@kernel.org>
Signed-off-by: Jake Edge <jake@lwn.net>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to '')
-rw-r--r-- | fs/proc/base.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c index aa763ab00777..fb45615943c2 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -322,7 +322,10 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer) wchan = get_wchan(task); if (lookup_symbol_name(wchan, symname) < 0) - return sprintf(buffer, "%lu", wchan); + if (!ptrace_may_access(task, PTRACE_MODE_READ)) + return 0; + else + return sprintf(buffer, "%lu", wchan); else return sprintf(buffer, "%s", symname); } |