[SRU][Trusty][Bionic][PATCH 1/1] proc: restrict kernel stack dumps to root

Khalid Elmously khalid.elmously at canonical.com
Tue Dec 4 02:21:04 UTC 2018

From: Jann Horn <jannh at google.com>


Currently, you can use /proc/self/task/*/stack to cause a stack walk on
a task you control while it is running on another CPU.  That means that
the stack can change under the stack walker.  The stack walker does
have guards against going completely off the rails and into random
kernel memory, but it can interpret random data from your kernel stack
as instruction pointers and stack pointers.  This can cause exposure of
kernel stack contents to userspace.

Restrict the ability to inspect kernel stacks of arbitrary tasks to root
in order to prevent a local attacker from exploiting racy stack unwinding
to leak kernel task stack contents.  See the added comment for a longer

There don't seem to be any users of this userspace API that can't
gracefully bail out if reading from the file fails.  Therefore, I believe
that this change is unlikely to break things.  In the case that this patch
does end up needing a revert, the next-best solution might be to fake a
single-entry stack based on wchan.

Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
Signed-off-by: Jann Horn <jannh at google.com>
Acked-by: Kees Cook <keescook at chromium.org>
Cc: Alexey Dobriyan <adobriyan at gmail.com>
Cc: Ken Chen <kenchen at google.com>
Cc: Will Deacon <will.deacon at arm.com>
Cc: Laura Abbott <labbott at redhat.com>
Cc: Andy Lutomirski <luto at amacapital.net>
Cc: Catalin Marinas <catalin.marinas at arm.com>
Cc: Josh Poimboeuf <jpoimboe at redhat.com>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: Ingo Molnar <mingo at redhat.com>
Cc: "H . Peter Anvin" <hpa at zytor.com>
Cc: <stable at vger.kernel.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
(backported from f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7)
[ kmously: Minor context adjustment ]
Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>
 fs/proc/base.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 4dd9d5541088..7c798e95a69e 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -304,6 +304,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
 	int err;
 	int i;
+	/*
+	 * The ability to racily run the kernel stack unwinder on a running task
+	 * and then observe the unwinder output is scary; while it is useful for
+	 * debugging kernel issues, it can also allow an attacker to leak kernel
+	 * stack contents.
+	 * Doing this in a manner that is at least safe from races would require
+	 * some work to ensure that the remote task can not be scheduled; and
+	 * even then, this would still expose the unwinder as local attack
+	 * surface.
+	 * Therefore, this interface is restricted to root.
+	 */
+	if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
+		return -EACCES;
 	entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
 	if (!entries)
 		return -ENOMEM;

More information about the kernel-team mailing list