Merge tag 'v3.10.98' into update
This is the 3.10.98 stable release
This commit is contained in:
Stricted
@@ -2945,7 +2945,7 @@ find_lively_task_by_vpid(pid_t vpid)
|
||||
|
||||
/* Reuse ptrace permission checks for now. */
|
||||
err = -EACCES;
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
|
||||
goto errout;
|
||||
|
||||
return task;
|
||||
@@ -5636,6 +5636,10 @@ static int perf_tp_filter_match(struct perf_event *event,
|
||||
{
|
||||
void *record = data->raw->data;
|
||||
|
||||
/* only top level events have filters set */
|
||||
if (event->parent)
|
||||
event = event->parent;
|
||||
|
||||
if (likely(!event->filter) || filter_match_preds(event->filter, record))
|
||||
return 1;
|
||||
return 0;
|
||||
|
||||
+6
-1
@@ -2495,6 +2495,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
|
||||
if (q.pi_state && (q.pi_state->owner != current)) {
|
||||
spin_lock(q.lock_ptr);
|
||||
ret = fixup_pi_state_owner(uaddr2, &q, current);
|
||||
/*
|
||||
* Drop the reference to the pi state which
|
||||
* the requeue_pi() code acquired for us.
|
||||
*/
|
||||
free_pi_state(q.pi_state);
|
||||
spin_unlock(q.lock_ptr);
|
||||
}
|
||||
} else {
|
||||
@@ -2621,7 +2626,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
|
||||
}
|
||||
|
||||
ret = -EPERM;
|
||||
if (!ptrace_may_access(p, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
|
||||
goto err_unlock;
|
||||
|
||||
head = p->robust_list;
|
||||
|
||||
@@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
|
||||
}
|
||||
|
||||
ret = -EPERM;
|
||||
if (!ptrace_may_access(p, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
|
||||
goto err_unlock;
|
||||
|
||||
head = p->compat_robust_list;
|
||||
|
||||
+2
-2
@@ -122,8 +122,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
|
||||
&task2->signal->cred_guard_mutex);
|
||||
if (ret)
|
||||
goto err;
|
||||
if (!ptrace_may_access(task1, PTRACE_MODE_READ) ||
|
||||
!ptrace_may_access(task2, PTRACE_MODE_READ)) {
|
||||
if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) ||
|
||||
!ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) {
|
||||
ret = -EPERM;
|
||||
goto err_unlock;
|
||||
}
|
||||
|
||||
+15
-11
@@ -3398,6 +3398,11 @@ static inline int is_arm_mapping_symbol(const char *str)
|
||||
&& (str[2] == '\0' || str[2] == '.');
|
||||
}
|
||||
|
||||
static const char *symname(struct module *mod, unsigned int symnum)
|
||||
{
|
||||
return mod->strtab + mod->symtab[symnum].st_name;
|
||||
}
|
||||
|
||||
static const char *get_ksymbol(struct module *mod,
|
||||
unsigned long addr,
|
||||
unsigned long *size,
|
||||
@@ -3420,15 +3425,15 @@ static const char *get_ksymbol(struct module *mod,
|
||||
|
||||
/* We ignore unnamed symbols: they're uninformative
|
||||
* and inserted at a whim. */
|
||||
if (*symname(mod, i) == '\0'
|
||||
|| is_arm_mapping_symbol(symname(mod, i)))
|
||||
continue;
|
||||
|
||||
if (mod->symtab[i].st_value <= addr
|
||||
&& mod->symtab[i].st_value > mod->symtab[best].st_value
|
||||
&& *(mod->strtab + mod->symtab[i].st_name) != '\0'
|
||||
&& !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name))
|
||||
&& mod->symtab[i].st_value > mod->symtab[best].st_value)
|
||||
best = i;
|
||||
if (mod->symtab[i].st_value > addr
|
||||
&& mod->symtab[i].st_value < nextval
|
||||
&& *(mod->strtab + mod->symtab[i].st_name) != '\0'
|
||||
&& !is_arm_mapping_symbol(mod->strtab + mod->symtab[i].st_name))
|
||||
&& mod->symtab[i].st_value < nextval)
|
||||
nextval = mod->symtab[i].st_value;
|
||||
}
|
||||
|
||||
@@ -3439,7 +3444,7 @@ static const char *get_ksymbol(struct module *mod,
|
||||
*size = nextval - mod->symtab[best].st_value;
|
||||
if (offset)
|
||||
*offset = addr - mod->symtab[best].st_value;
|
||||
return mod->strtab + mod->symtab[best].st_name;
|
||||
return symname(mod, best);
|
||||
}
|
||||
|
||||
/* For kallsyms to ask for address resolution. NULL means not found. Careful
|
||||
@@ -3540,8 +3545,7 @@ int module_get_kallsym(unsigned int symnum, unsigned long *value, char *type,
|
||||
if (symnum < mod->num_symtab) {
|
||||
*value = mod->symtab[symnum].st_value;
|
||||
*type = mod->symtab[symnum].st_info;
|
||||
strlcpy(name, mod->strtab + mod->symtab[symnum].st_name,
|
||||
KSYM_NAME_LEN);
|
||||
strlcpy(name, symname(mod, symnum), KSYM_NAME_LEN);
|
||||
strlcpy(module_name, mod->name, MODULE_NAME_LEN);
|
||||
*exported = is_exported(name, *value, mod);
|
||||
preempt_enable();
|
||||
@@ -3558,7 +3562,7 @@ static unsigned long mod_find_symname(struct module *mod, const char *name)
|
||||
unsigned int i;
|
||||
|
||||
for (i = 0; i < mod->num_symtab; i++)
|
||||
if (strcmp(name, mod->strtab+mod->symtab[i].st_name) == 0 &&
|
||||
if (strcmp(name, symname(mod, i)) == 0 &&
|
||||
mod->symtab[i].st_info != 'U')
|
||||
return mod->symtab[i].st_value;
|
||||
return 0;
|
||||
@@ -3602,7 +3606,7 @@ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *,
|
||||
if (mod->state == MODULE_STATE_UNFORMED)
|
||||
continue;
|
||||
for (i = 0; i < mod->num_symtab; i++) {
|
||||
ret = fn(data, mod->strtab + mod->symtab[i].st_name,
|
||||
ret = fn(data, symname(mod, i),
|
||||
mod, mod->symtab[i].st_value);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
|
||||
+31
-8
@@ -225,6 +225,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
|
||||
static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
||||
{
|
||||
const struct cred *cred = current_cred(), *tcred;
|
||||
int dumpable = 0;
|
||||
kuid_t caller_uid;
|
||||
kgid_t caller_gid;
|
||||
|
||||
if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) {
|
||||
WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n");
|
||||
return -EPERM;
|
||||
}
|
||||
|
||||
/* May we inspect the given task?
|
||||
* This check is used both for attaching with ptrace
|
||||
@@ -234,18 +242,33 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
||||
* because setting up the necessary parent/child relationship
|
||||
* or halting the specified task is impossible.
|
||||
*/
|
||||
int dumpable = 0;
|
||||
|
||||
/* Don't let security modules deny introspection */
|
||||
if (same_thread_group(task, current))
|
||||
return 0;
|
||||
rcu_read_lock();
|
||||
if (mode & PTRACE_MODE_FSCREDS) {
|
||||
caller_uid = cred->fsuid;
|
||||
caller_gid = cred->fsgid;
|
||||
} else {
|
||||
/*
|
||||
* Using the euid would make more sense here, but something
|
||||
* in userland might rely on the old behavior, and this
|
||||
* shouldn't be a security problem since
|
||||
* PTRACE_MODE_REALCREDS implies that the caller explicitly
|
||||
* used a syscall that requests access to another process
|
||||
* (and not a filesystem syscall to procfs).
|
||||
*/
|
||||
caller_uid = cred->uid;
|
||||
caller_gid = cred->gid;
|
||||
}
|
||||
tcred = __task_cred(task);
|
||||
if (uid_eq(cred->uid, tcred->euid) &&
|
||||
uid_eq(cred->uid, tcred->suid) &&
|
||||
uid_eq(cred->uid, tcred->uid) &&
|
||||
gid_eq(cred->gid, tcred->egid) &&
|
||||
gid_eq(cred->gid, tcred->sgid) &&
|
||||
gid_eq(cred->gid, tcred->gid))
|
||||
if (uid_eq(caller_uid, tcred->euid) &&
|
||||
uid_eq(caller_uid, tcred->suid) &&
|
||||
uid_eq(caller_uid, tcred->uid) &&
|
||||
gid_eq(caller_gid, tcred->egid) &&
|
||||
gid_eq(caller_gid, tcred->sgid) &&
|
||||
gid_eq(caller_gid, tcred->gid))
|
||||
goto ok;
|
||||
if (ptrace_has_cap(tcred->user_ns, mode))
|
||||
goto ok;
|
||||
@@ -312,7 +335,7 @@ static int ptrace_attach(struct task_struct *task, long request,
|
||||
goto out;
|
||||
|
||||
task_lock(task);
|
||||
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
|
||||
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
|
||||
task_unlock(task);
|
||||
if (retval)
|
||||
goto unlock_creds;
|
||||
|
||||
Reference in New Issue
Block a user