[PATCH] proc: protect mm start_code/end_code in /proc/pid/stat

From: Kees Cook
Date: Fri Mar 11 2011 - 16:28:52 EST

Next message: Michal Marek: "[PATCH] kbuild: Fix computing srcversion for modules"
Previous message: Simon Kirby: "Re: [git pull] more vfs fixes for final"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While mm->start_stack was protected from cross-uid viewing (commit
f83ce3e6b02d5e48b3a43b001390e2b58820389d), the start_code and end_code
values were not. This would allow the text location of a PIE binary to
leak, defeating ASLR.

Note that the value "1" is used instead of "0" for a protected value
since "ps", "killall", and likely other readers of /proc/pid/stat, take
start_code of "0" to mean a kernel thread and will misbehave. Thanks to
Brad Spengler for pointing this out.

CVE-2011-0726

Signed-off-by: Kees Cook <kees.cook@xxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxx
---
fs/proc/array.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/proc/array.c b/fs/proc/array.c
index 7c99c1c..5e4f776 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -489,8 +489,8 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
vsize,
mm ? get_mm_rss(mm) : 0,
rsslim,
- mm ? mm->start_code : 0,
- mm ? mm->end_code : 0,
+ mm ? (permitted ? mm->start_code : 1) : 0,
+ mm ? (permitted ? mm->end_code : 1) : 0,
(permitted && mm) ? mm->start_stack : 0,
esp,
eip,
--
1.7.4.1

--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michal Marek: "[PATCH] kbuild: Fix computing srcversion for modules"
Previous message: Simon Kirby: "Re: [git pull] more vfs fixes for final"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]