From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt0-f169.google.com ([209.85.216.169]:42482 "EHLO mail-qt0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727732AbeIMDyk (ORCPT ); Wed, 12 Sep 2018 23:54:40 -0400 Received: by mail-qt0-f169.google.com with SMTP id z8-v6so3603372qto.9 for ; Wed, 12 Sep 2018 15:48:02 -0700 (PDT) Subject: Re: [PATCH] proc: restrict kernel stack dumps to root To: Kees Cook , Jann Horn Cc: Alexey Dobriyan , Ken Chen , kernel list , "linux-fsdevel@vger.kernel.org" , Will Deacon , Andy Lutomirski , Security Officers , Catalin Marinas , Josh Poimboeuf , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Linux API References: <20180911183909.233413-1-jannh@google.com> From: Laura Abbott Message-ID: <4ceb318d-9af6-7a78-db6a-cfe9dd8a0823@redhat.com> Date: Wed, 12 Sep 2018 15:47:58 -0700 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On 09/12/2018 03:27 PM, Kees Cook wrote: > On Wed, Sep 12, 2018 at 8:29 AM, Jann Horn wrote: >> +linux-api, I guess >> >> On Tue, Sep 11, 2018 at 8:39 PM Jann Horn wrote: >>> >>> Restrict the ability to inspect kernel stacks of arbitrary tasks to root >>> in order to prevent a local attacker from exploiting racy stack unwinding >>> to leak kernel task stack contents. >>> See the added comment for a longer rationale. >>> >>> There don't seem to be any users of this userspace API that can't >>> gracefully bail out if reading from the file fails. Therefore, I believe >>> that this change is unlikely to break things. >>> In the case that this patch does end up needing a revert, the next-best >>> solution might be to fake a single-entry stack based on wchan. >>> >>> Fixes: 2ec220e27f50 ("proc: add /proc/*/stack") >>> Cc: stable@vger.kernel.org >>> Signed-off-by: Jann Horn >>> --- >>> fs/proc/base.c | 14 ++++++++++++++ >>> 1 file changed, 14 insertions(+) >>> >>> diff --git a/fs/proc/base.c b/fs/proc/base.c >>> index ccf86f16d9f0..7e9f07bf260d 100644 >>> --- a/fs/proc/base.c >>> +++ b/fs/proc/base.c >>> @@ -407,6 +407,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns, >>> unsigned long *entries; >>> int err; >>> >>> + /* >>> + * The ability to racily run the kernel stack unwinder on a running task >>> + * and then observe the unwinder output is scary; while it is useful for >>> + * debugging kernel issues, it can also allow an attacker to leak kernel >>> + * stack contents. >>> + * Doing this in a manner that is at least safe from races would require >>> + * some work to ensure that the remote task can not be scheduled; and >>> + * even then, this would still expose the unwinder as local attack >>> + * surface. >>> + * Therefore, this interface is restricted to root. >>> + */ >>> + if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) >>> + return -EACCES; > > In the past, we've avoided hard errors like this in favor of just > censoring the output. Do we want to be more cautious here? (i.e. > return 0 or a fuller seq_printf(m, "[<0>] privileged\n"); return 0;) > The -EACCES is a strong hint to run with root privileges which is nice from an end user perspective. If we don't want to return an actual error, I think the "privileged" message would be okay. Laura >>> + >>> entries = kmalloc_array(MAX_STACK_TRACE_DEPTH, sizeof(*entries), >>> GFP_KERNEL); >>> if (!entries) >>> -- >>> 2.19.0.rc2.392.g5ba43deb5a-goog >>> > > -Kees >