The patch titled
proc: fix a race in do_io_accounting()
has been added to the -mm tree. Its filename is
proc-fix-a-race-in-do_io_accounting.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: proc: fix a race in do_io_accounting()
From: Vasiliy Kulikov <seg...@openwall.com>
There is a ptrace_may_access() check in do_io_accounting() to prevent
gathering information of setuid'ed and similar binaries. However, there
is a race against execve(). Holding task->signal->cred_guard_mutex while
gathering the information should protect against the race.
The order of locking is similar to the one inside of ptrace_attach():
first goes cred_guard_mutex, then lock_task_sighand().
Signed-off-by: Vasiliy Kulikov <seg...@openwall.com>
Cc: Al Viro <v...@zeniv.linux.org.uk>
Cc: Linus Torvalds <torva...@linux-foundation.org>
Cc: <sta...@kernel.org>
Signed-off-by: Andrew Morton <a...@linux-foundation.org>
---
fs/proc/base.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff -puN fs/proc/base.c~proc-fix-a-race-in-do_io_accounting fs/proc/base.c
--- a/fs/proc/base.c~proc-fix-a-race-in-do_io_accounting
+++ a/fs/proc/base.c
@@ -2718,9 +2718,16 @@ static int do_io_accounting(struct task_
{
struct task_io_accounting acct = task->ioac;
unsigned long flags;
+ int result;
- if (!ptrace_may_access(task, PTRACE_MODE_READ))
- return -EACCES;
+ result = mutex_lock_killable(&task->signal->cred_guard_mutex);
+ if (result)
+ return result;
+
+ if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
+ result = -EACCES;
+ goto out_unlock;
+ }
if (whole && lock_task_sighand(task, &flags)) {
struct task_struct *t = task;
@@ -2731,7 +2738,7 @@ static int do_io_accounting(struct task_
unlock_task_sighand(task, &flags);
}
- return sprintf(buffer,
+ result = sprintf(buffer,
"rchar: %llu\n"
"wchar: %llu\n"
"syscr: %llu\n"
@@ -2746,6 +2753,9 @@ static int do_io_accounting(struct task_
(unsigned long long)acct.read_bytes,
(unsigned long long)acct.write_bytes,
(unsigned long long)acct.cancelled_write_bytes);
+out_unlock:
+ mutex_unlock(&task->signal->cred_guard_mutex);
+ return result;
}
static int proc_tid_io_accounting(struct task_struct *task, char *buffer)
_
Patches currently in -mm which might be from seg...@openwall.com are
arch-arm-mach-ux500-mbox-db5500c-world-writable-sysfs-fifo-file.patch
proc-fix-a-race-in-do_io_accounting.patch
ipc-introduce-shm_rmid_forced-sysctl.patch
ipc-introduce-shm_rmid_forced-sysctl-fix.patch
ipc-introduce-shm_rmid_forced-sysctl-fix-2.patch
ipc-introduce-shm_rmid_forced-sysctl-cleanup.patch
ipc-introduce-shm_rmid_forced-sysctl-comments.patch
ipc-introduce-shm_rmid_forced-sysctl-comments-fix.patch
ipc-introduce-shm_rmid_forced-sysctl-testing.patch
_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable
