The patch titled
     proc: protect mm start_code/end_code in /proc/pid/stat
has been added to the -mm tree.  Its filename is
     proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this

The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/

------------------------------------------------------
Subject: proc: protect mm start_code/end_code in /proc/pid/stat
From: Kees Cook <[email protected]>

While mm->start_stack was protected from cross-uid viewing (commit
f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged
processes")), the start_code and end_code values were not.  This would
allow the text location of a PIE binary to leak, defeating ASLR.

Note that the value "1" is used instead of "0" for a protected value since
"ps", "killall", and likely other readers of /proc/pid/stat, take
start_code of "0" to mean a kernel thread and will misbehave.  Thanks to
Brad Spengler for pointing this out.

Addresses CVE-2011-0726

Signed-off-by: Kees Cook <[email protected]>
Cc: <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: David Howells <[email protected]>
Cc: Eugene Teo <[email protected]>
Cc: Martin Schwidefsky <[email protected]>
Reported-by: Brad Spengler <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
---

 fs/proc/array.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff -puN fs/proc/array.c~proc-protect-mm-start_code-end_code-in-proc-pid-stat 
fs/proc/array.c
--- a/fs/proc/array.c~proc-protect-mm-start_code-end_code-in-proc-pid-stat
+++ a/fs/proc/array.c
@@ -489,8 +489,8 @@ static int do_task_stat(struct seq_file 
                vsize,
                mm ? get_mm_rss(mm) : 0,
                rsslim,
-               mm ? mm->start_code : 0,
-               mm ? mm->end_code : 0,
+               mm ? (permitted ? mm->start_code : 1) : 0,
+               mm ? (permitted ? mm->end_code : 1) : 0,
                (permitted && mm) ? mm->start_stack : 0,
                esp,
                eip,
_

Patches currently in -mm which might be from [email protected] are

origin.patch
linux-next.patch
net-convert-%p-usage-to-%pk.patch
printk-use-%pk-for-proc-kallsyms-and-proc-modules.patch
proc-hide-kernel-addresses-via-%pk-in-proc-pid-stack.patch
proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to