restrict reading from /proc/<pid>/maps to those who share ->mm or can ptrace pid

Contents of /proc/*/maps is sensitive and may become sensitive after open() (e.g. if target originally shares our ->mm and later does exec on suid-root binary). Check at read() (actually, ->start() of iterator) time that mm_struct we'd grabbed and locked is - still the ->mm of target - equal to reader's ->mm or the target is ptracable by reader. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Rik van Riel <riel@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Al Viro <viro@ZenIV.linux.org.uk> 2008-01-02 09:09:57 -0500
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2008-01-02 16:13:27 -0500
commit: 831830b5a2b5d413407adf380ef62fe17d6fcbf2 (patch)
tree: b08f54f15374b5b98b0b3bea20a1d2ea8d1f50e0 /fs/proc/base.c
parent: ac40532ef0b8649e6f7f83859ea0de1c4ed08a19 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 02a63ac04178..7411bfb0b7cc 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -202,6 +202,26 @@ static int proc_root_link(struct inode *inode, struct dentry **dentry, struct vf
         (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
         security_ptrace(current,task) == 0))
+struct mm_struct *mm_for_maps(struct task_struct *task)
+{
+        struct mm_struct *mm = get_task_mm(task);
+        if (!mm)
+                return NULL;
+        down_read(&mm->mmap_sem);
+        task_lock(task);
+        if (task->mm != mm)
+                goto out;
+        if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
+                goto out;
+        task_unlock(task);
+        return mm;
+out:
+        task_unlock(task);
+        up_read(&mm->mmap_sem);
+        mmput(mm);
+        return NULL;
+}
 static int proc_pid_cmdline(struct task_struct *task, char * buffer)
 {
        int res = 0;
author	Al Viro <viro@ZenIV.linux.org.uk>	2008-01-02 09:09:57 -0500
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2008-01-02 16:13:27 -0500
commit	831830b5a2b5d413407adf380ef62fe17d6fcbf2 (patch)
tree	b08f54f15374b5b98b0b3bea20a1d2ea8d1f50e0 /fs/proc/base.c
parent	ac40532ef0b8649e6f7f83859ea0de1c4ed08a19 (diff)

diff --git a/fs/proc/base.c b/fs/proc/base.c index 02a63ac04178..7411bfb0b7cc 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c
@@ -202,6 +202,26 @@ static int proc_root_link(struct inode inode, struct dentry *dentry, struct vf
202	(task->state == TASK_STOPPED \|\| task->state == TASK_TRACED) && \	202	(task->state == TASK_STOPPED \|\| task->state == TASK_TRACED) && \
203	security_ptrace(current,task) == 0))	203	security_ptrace(current,task) == 0))
204		204
		205	struct mm_struct mm_for_maps(struct task_struct task)
		206	{
		207	struct mm_struct *mm = get_task_mm(task);
		208	if (!mm)
		209	return NULL;
		210	down_read(&mm->mmap_sem);
		211	task_lock(task);
		212	if (task->mm != mm)
		213	goto out;
		214	if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
		215	goto out;
		216	task_unlock(task);
		217	return mm;
		218	out:
		219	task_unlock(task);
		220	up_read(&mm->mmap_sem);
		221	mmput(mm);
		222	return NULL;
		223	}
		224
205	static int proc_pid_cmdline(struct task_struct task, char buffer)	225	static int proc_pid_cmdline(struct task_struct task, char buffer)
206	{	226	{
207	int res = 0;	227	int res = 0;