linux/fs
Vasiliy Kulikov aa6afca5bc proc: fix races against execve() of /proc/PID/fd**
fd* files are restricted to the task's owner, and other users may not get
direct access to them.  But one may open any of these files and run any
setuid program, keeping opened file descriptors.  As there are permission
checks on open(), but not on readdir() and read(), operations on the kept
file descriptors will not be checked.  It makes it possible to violate
procfs permission model.

Reading fdinfo/* may disclosure current fds' position and flags, reading
directory contents of fdinfo/ and fd/ may disclosure the number of opened
files by the target task.  This information is not sensible per se, but it
can reveal some private information (like length of a password stored in a
file) under certain conditions.

Used existing (un)lock_trace functions to check for ptrace_may_access(),
but instead of using EPERM return code from it use EACCES to be consistent
with existing proc_pid_follow_link()/proc_pid_readlink() return code.  If
they differ, attacker can guess what fds exist by analyzing stat() return
code.  Patched handlers: stat() for fd/*, stat() and read() for fdindo/*,
readdir() and lookup() for fd/ and fdinfo/.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: <stable@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-11-02 16:07:00 -07:00
..
9p net/9p: Convert net/9p protocol dumps to tracepoints 2011-10-24 11:13:12 -05:00
adfs Fix common misspellings 2011-03-31 11:26:23 -03:00
affs fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
afs AFS: Fix silly characters in a comment 2011-07-20 20:48:03 -04:00
autofs4 autofs4: fix debug printk warning uncovered by cleanup 2011-08-08 12:02:43 -07:00
befs befs: Validate length of long symbolic links. 2011-08-17 13:31:24 -07:00
bfs bfs: remove unnecessary dentry_unhash on dir rename 2011-05-28 01:02:50 -04:00
btrfs Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-10-28 10:49:34 -07:00
cachefiles kill useless checks for sb->s_op == NULL 2011-07-20 01:44:21 -04:00
ceph libceph: fix double-free of page vector 2011-10-25 16:10:17 -07:00
cifs Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-10-28 10:49:34 -07:00
coda fs: Convert vmalloc/memset to vzalloc 2011-09-15 13:56:28 +02:00
configfs doc: fix broken references 2011-09-27 18:08:04 +02:00
cramfs cramfs: get_cramfs_inode() returns ERR_PTR() on failure 2011-07-17 23:22:02 -04:00
debugfs debugfs: Fix a comment mistake 2011-08-22 17:41:48 -07:00
devpts fs/devpts/inode.c: correctly check d_alloc_name() return code in devpts_pty_new() 2011-03-22 17:44:17 -07:00
dlm Merge branch 'for-3.1' of git://linux-nfs.org/~bfields/linux 2011-07-25 22:49:19 -07:00
ecryptfs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
efs make d_splice_alias(ERR_PTR(err), dentry) = ERR_PTR(err) 2011-07-20 01:44:26 -04:00
exofs ore: Enable RAID5 mounts 2011-10-24 17:22:29 -07:00
exportfs
ext2 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
ext3 Merge branch 'next' of git://selinuxproject.org/~jmorris/linux-security 2011-10-25 09:45:31 +02:00
ext4 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
fat fat: follow rename pack_hex_byte() to hex_byte_pack() 2011-10-31 17:30:57 -07:00
freevxfs treewide: fix a few typos in comments 2011-05-10 10:16:21 +02:00
fscache FS-Cache: Fix __fscache_uncache_all_inode_pages()'s outer loop 2011-07-21 10:59:16 -07:00
fuse fuse: fix memory leak 2011-09-12 11:47:10 -07:00
gfs2 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
hfs hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops 2011-11-02 16:06:59 -07:00
hfsplus hfsplus: fix filesystem size checks 2011-09-15 09:03:17 -07:00
hostfs fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
hpfs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
hppfs hppfs: missing include 2011-07-27 22:21:58 -04:00
hugetlbfs lockdep: Add helper function for dir vs file i_mutex annotation 2011-08-25 10:50:18 -07:00
isofs isofs: add readpages support 2011-11-02 16:06:59 -07:00
jbd jbd: Use WRITE_SYNC in journal checkpoint. 2011-06-28 00:06:41 +02:00
jbd2 jbd2: remove jbd2_dev_to_name() from jbd2 tracepoints 2011-07-10 22:05:08 -04:00
jffs2 Merge branch 'next-evm' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next 2011-08-09 10:31:03 +10:00
jfs Merge branch 'next' of git://selinuxproject.org/~jmorris/linux-security 2011-10-25 09:45:31 +02:00
lockd SUNRPC: Replace svc_addr_u by sockaddr_storage 2011-09-14 08:21:48 -04:00
logfs lib/string.c: introduce memchr_inv() 2011-10-31 17:30:47 -07:00
minix minix_getattr(): don't bother with ->d_parent 2011-07-20 20:47:53 -04:00
ncpfs fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
nfs Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-10-28 10:49:34 -07:00
nfs_common Fix common misspellings 2011-03-31 11:26:23 -03:00
nfsd nfs41: implement DESTROY_CLIENTID operation 2011-10-24 04:24:30 -04:00
nilfs2 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
nls
notify atomic: use <linux/atomic.h> 2011-07-26 16:49:47 -07:00
ntfs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
ocfs2 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
omfs omfs: fix (mode & S_IFDIR) abuse 2011-07-26 13:05:28 -04:00
openpromfs
partitions treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
proc proc: fix races against execve() of /proc/PID/fd** 2011-11-02 16:07:00 -07:00
pstore pstore: make pstore write function return normal success/fail value 2011-10-12 09:17:24 -07:00
qnx4
quota VFS: Fix the remaining automounter semantics regressions 2011-09-26 19:16:46 -07:00
ramfs ramfs: remove module leftovers 2011-11-02 16:06:58 -07:00
reiserfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-10-25 12:11:02 +02:00
romfs romfs: fix romfs_get_unmapped_area() argument check 2011-06-27 18:00:12 -07:00
squashfs doc: fix broken references 2011-09-27 18:08:04 +02:00
sysfs sysfs: Make sysfs_rename safe with sysfs_dirents in rbtrees. 2011-11-01 09:16:14 -07:00
sysv sysv: remove unnecessary dentry_unhash from rmdir, dir rename 2011-05-28 01:02:50 -04:00
ubifs UBIFS: not build debug messages with CONFIG_UBIFS_FS_DEBUG disabled 2011-08-19 18:58:58 +03:00
udf treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
ufs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
xfs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
aio.c Cross Memory Attach 2011-10-31 17:30:44 -07:00
anon_inodes.c vfs: dont chain pipe/anon/socket on superblock s_inodes list 2011-07-26 12:57:09 -04:00
attr.c Merge branch 'next-evm' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next 2011-08-09 10:31:03 +10:00
bad_inode.c fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
binfmt_aout.c
binfmt_elf_fdpic.c consolidate BINPRM_FLAGS_ENFORCE_NONDUMP handling 2011-07-20 01:43:10 -04:00
binfmt_elf.c binfmt_elf: fix PIE execution with randomization disabled 2011-11-02 16:06:58 -07:00
binfmt_em86.c
binfmt_flat.c CRED: Fix load_flat_shared_library() to initialise bprm correctly 2011-05-03 10:10:51 +10:00
binfmt_misc.c consolidate BINPRM_FLAGS_ENFORCE_NONDUMP handling 2011-07-20 01:43:10 -04:00
binfmt_script.c
binfmt_som.c
bio-integrity.c block: Require subsystems to explicitly allocate bio_set integrity mempool 2011-03-17 11:11:05 +01:00
bio.c block: improve the bio_add_page() and bio_add_pc_page() descriptions 2011-05-28 14:44:46 +02:00
block_dev.c Avoid dereferencing a 'request_queue' after last close. 2011-09-10 17:20:21 +10:00
buffer.c fs/buffer.c: add device information for error output in __find_get_block_slow() 2011-10-31 17:30:49 -07:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c compat_ioctl: add compat handler for PPPIOCGL2TPSTATS 2011-08-07 22:24:41 -07:00
compat.c Cross Memory Attach 2011-10-31 17:30:44 -07:00
dcache.c vfs: renumber DCACHE_xyz flags, remove some stale ones 2011-08-06 22:52:40 -07:00
dcookies.c oprofile, dcookies: Fix possible circular locking dependency 2011-05-31 16:33:35 +02:00
direct-io.c direct-io: merge direct_io_walker into __blockdev_direct_IO 2011-10-28 14:58:58 +02:00
drop_caches.c vmscan: change shrinker API by passing shrink_control struct 2011-05-25 08:39:26 -07:00
eventfd.c
eventpoll.c epoll: fix spurious lockdep warnings 2011-10-31 17:30:57 -07:00
exec.c oom: remove oom_disable_count 2011-10-31 17:30:45 -07:00
fcntl.c userns: rename is_owner_or_cap to inode_owner_or_capable 2011-03-23 19:47:13 -07:00
fhandle.c fs/fhandle.c: add <linux/personality.h> for ia64 2011-04-14 16:06:56 -07:00
fifo.c Filesystem: fifo: Fixed coding style issue. 2011-03-21 00:16:09 -04:00
file_table.c atomic: use <linux/atomic.h> 2011-07-26 16:49:47 -07:00
file.c vfs: avoid large kmalloc()s for the fdtable 2011-04-28 11:28:20 -07:00
filesystems.c fs: synchronize_rcu when unregister_filesystem success not failure 2011-04-17 10:42:01 -07:00
fs_struct.c
fs-writeback.c don't busy retry the inode on failed grab_super_passive() 2011-07-31 22:52:08 +08:00
generic_acl.c switch posix_acl_equiv_mode() to umode_t * 2011-08-01 02:10:06 -04:00
inode.c vfs: fix spinning prevention in prune_icache_sb 2011-10-28 14:58:55 +02:00
internal.h superblock: move pin_sb_for_writeback() to fs/super.c 2011-07-20 01:44:38 -04:00
ioctl.c vfs: cleanup do_vfs_ioctl() 2011-03-21 00:16:08 -04:00
ioprio.c
Kconfig tmpfs: add "tmpfs" to the Kconfig prompt to make it obvious. 2011-10-31 17:30:45 -07:00
Kconfig.binfmt
libfs.c fix IN_DELETE_SELF on overwriting rename() on ramfs et.al. 2011-07-22 19:42:11 -04:00
locks.c Merge branch 'for-3.2' of git://linux-nfs.org/~bfields/linux 2011-10-25 15:42:01 +02:00
Makefile fs/Makefile: Stupid typo breakage of exofs inclusion 2011-10-27 08:36:51 +02:00
mbcache.c vmscan: change shrinker API by passing shrink_control struct 2011-05-25 08:39:26 -07:00
mpage.c mm/fs: add hooks to support cleancache 2011-05-26 10:01:43 -06:00
namei.c leases: fix write-open/read-lease race 2011-10-28 14:59:00 +02:00
namespace.c vfs: add "device" tag to /proc/self/mountstats 2011-10-28 13:55:08 +02:00
no-block.c
open.c leases: fix write-open/read-lease race 2011-10-28 14:59:00 +02:00
pipe.c fs/pipe.c: add ->statfs callback for pipefs 2011-10-31 17:30:51 -07:00
pnode.c
pnode.h
posix_acl.c vfs: pass all mask flags check_acl and posix_acl_permission 2011-10-28 14:58:54 +02:00
read_write.c Cross Memory Attach 2011-10-31 17:30:44 -07:00
read_write.h
readdir.c
select.c select: remove unused MAX_SELECT_SECONDS 2011-03-21 00:16:08 -04:00
seq_file.c
signalfd.c
splice.c tmpfs: clone shmem_file_splice_read() 2011-07-25 20:57:11 -07:00
stack.c mm: a few small updates for radix-swap 2011-08-03 14:25:24 -10:00
stat.c vfs: remove LOOKUP_NO_AUTOMOUNT flag 2011-09-27 08:12:33 -07:00
statfs.c
super.c vmscan: fix shrinker callback bug in fs/super.c 2011-10-31 17:30:49 -07:00
sync.c fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
timerfd.c timerfd: Fix wakeup of processes when timer is cancelled on clock change 2011-06-14 11:46:14 +02:00
utimes.c userns: rename is_owner_or_cap to inode_owner_or_capable 2011-03-23 19:47:13 -07:00
xattr_acl.c
xattr.c evm: evm_inode_post_removexattr 2011-07-18 12:29:43 -04:00