[Acked] [PATCH 1/1] /proc/iomem: only expose physical resource addresses to privileged users

[Andy Whitcroft]

On Fri, Jun 09, 2017 at 05:56:30AM -0700, Brad Figg wrote:
> From: Linus Torvalds <torvalds at linux-foundation.org>
> 
> CVE-2015-8944
> 
> In commit c4004b02f8e5b ("x86: remove the kernel code/data/bss resources
> from /proc/iomem") I was hoping to remove the phyiscal kernel address
> data from /proc/iomem entirely, but that had to be reverted because some
> system programs actually use it.
> 
> This limits all the detailed resource information to properly
> credentialed users instead.
> 
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry picked from commit 51d7b120418e99d6b3bf8df9eb3cc31e8171dee4)
> Signed-off-by: Brad Figg <brad.figg at canonical.com>
> ---
>  kernel/resource.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/resource.c b/kernel/resource.c
> index 449282e..b97a740 100644
> --- a/kernel/resource.c
> +++ b/kernel/resource.c
> @@ -95,16 +95,25 @@ static int r_show(struct seq_file *m, void *v)
>  {
>  	struct resource *root = m->private;
>  	struct resource *r = v, *p;
> +	unsigned long long start, end;
>  	int width = root->end < 0x10000 ? 4 : 8;
>  	int depth;
>  
>  	for (depth = 0, p = r; depth < MAX_IORES_LEVEL; depth++, p = p->parent)
>  		if (p->parent == root)
>  			break;
> +
> +	if (file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) {
> +		start = r->start;
> +		end = r->end;
> +	} else {
> +		start = end = 0;
> +	}
> +
>  	seq_printf(m, "%*s%0*llx-%0*llx : %s\n",
>  			depth * 2, "",
> -			width, (unsigned long long) r->start,
> -			width, (unsigned long long) r->end,
> +			width, start,
> +			width, end,
>  			r->name ? r->name : "<BAD>");
>  	return 0;
>  }

Clean cherry-pick.  Looks to do what is claimed.  Therefore:

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw