From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:55780 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726064AbeI1Etl (ORCPT ); Fri, 28 Sep 2018 00:49:41 -0400 Date: Thu, 27 Sep 2018 15:29:08 -0700 From: Andrew Morton To: Jann Horn Cc: Kees Cook , Alexey Dobriyan , Ken Chen , kernel list , "linux-fsdevel@vger.kernel.org" , Will Deacon , Laura Abbott , Andy Lutomirski , Security Officers , Catalin Marinas , Josh Poimboeuf , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Linux API Subject: Re: [PATCH resend] proc: restrict kernel stack dumps to root Message-Id: <20180927152908.f5c9239d527380c582b1bcfa@linux-foundation.org> In-Reply-To: <20180927153316.200286-1-jannh@google.com> References: <20180927153316.200286-1-jannh@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Thu, 27 Sep 2018 17:33:16 +0200 Jann Horn wrote: > Restrict the ability to inspect kernel stacks of arbitrary tasks to root > in order to prevent a local attacker from exploiting racy stack unwinding > to leak kernel task stack contents. > See the added comment for a longer rationale. > > There don't seem to be any users of this userspace API that can't > gracefully bail out if reading from the file fails. Therefore, I believe > that this change is unlikely to break things. > In the case that this patch does end up needing a revert, the next-best > solution might be to fake a single-entry stack based on wchan. > > Fixes: 2ec220e27f50 ("proc: add /proc/*/stack") > Cc: stable@vger.kernel.org > Signed-off-by: Jann Horn It's a bit worrisome cc'ing stable on a patch which might need a revert. > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -407,6 +407,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns, > unsigned long *entries; > int err; > > + /* > + * The ability to racily run the kernel stack unwinder on a running task > + * and then observe the unwinder output is scary; while it is useful for > + * debugging kernel issues, it can also allow an attacker to leak kernel > + * stack contents. > + * Doing this in a manner that is at least safe from races would require > + * some work to ensure that the remote task can not be scheduled; and > + * even then, this would still expose the unwinder as local attack > + * surface. > + * Therefore, this interface is restricted to root. > + */ The /proc file is 0400 so the user can only read owned-by-self stacks, yes? In what way could exposure of one's own kernel stack contents lead to plausible attacks? I guess maybe post-setuid, perhaps? I do think we're owed considerably more explanation of the present risk before considering a somewhat dangerous -stable backport, please.