kernel-ark/fs
Djalal Harouni e8905ec27e proc: environ_read() make sure offset points to environment address range
Currently the following offset and environment address range check in
environ_read() of /proc/<pid>/environ is buggy:

  int this_len = mm->env_end - (mm->env_start + src);
  if (this_len <= 0)
    break;

Large or negative offsets on /proc/<pid>/environ converted to 'unsigned
long' may pass this check since '(mm->env_start + src)' can overflow and
'this_len' will be positive.

This can turn /proc/<pid>/environ to act like /proc/<pid>/mem since
(mm->env_start + src) will point and read from another VMA.

There are two fixes here plus some code cleaning:

1) Fix the overflow by checking if the offset that was converted to
   unsigned long will always point to the [mm->env_start, mm->env_end]
   address range.

2) Remove the truncation that was made to the result of the check,
   storing the result in 'int this_len' will alter its value and we can
   not depend on it.

For kernels that have commit b409e578d ("proc: clean up
/proc/<pid>/environ handling") which adds the appropriate ptrace check and
saves the 'mm' at ->open() time, this is not a security issue.

This patch is taken from the grsecurity patch since it was just made
available.

Signed-off-by: Djalal Harouni <tixxdz@opendz.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Brad Spengler <spender@grsecurity.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-07-30 17:25:20 -07:00
..
9p VFS: Pass mount flags to sget() 2012-07-14 16:38:34 +04:00
adfs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
affs affs: use memweight() 2012-07-30 17:25:16 -07:00
afs VFS: Pass mount flags to sget() 2012-07-14 16:38:34 +04:00
autofs4 switch dentry_open() to struct path, make it grab references itself 2012-07-23 00:01:29 +04:00
befs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
bfs don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
btrfs btrfs: use printk_get_level and printk_skip_level, add __printf, fix fallout 2012-07-30 17:25:14 -07:00
cachefiles switch dentry_open() to struct path, make it grab references itself 2012-07-23 00:01:29 +04:00
ceph VFS: Pass mount flags to sget() 2012-07-14 16:38:34 +04:00
cifs cifs: ensure that we always do cifsFileInfo_get under the spinlock 2012-07-25 14:51:30 -05:00
coda don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
configfs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
cramfs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
debugfs Driver core merge for 3.6-rc1 2012-07-26 11:25:33 -07:00
devpts VFS: Pass mount flags to sget() 2012-07-14 16:38:34 +04:00
dlm dlm: fix missing dir remove 2012-07-16 14:24:43 -05:00
ecryptfs switch dentry_open() to struct path, make it grab references itself 2012-07-23 00:01:29 +04:00
efs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
exofs Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-07-23 12:27:27 -07:00
exportfs switch dentry_open() to struct path, make it grab references itself 2012-07-23 00:01:29 +04:00
ext2 ext2: use memweight() 2012-07-30 17:25:16 -07:00
ext3 ext3: use memweight() 2012-07-30 17:25:16 -07:00
ext4 ext4: use memweight() 2012-07-30 17:25:16 -07:00
fat fat: refactor shortname parsing 2012-07-30 17:25:20 -07:00
freevxfs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
fscache
fuse don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
gfs2 Merge git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-nmw 2012-07-24 17:57:05 -07:00
hfs hfs: get rid of hfs_sync_super 2012-07-22 23:58:09 +04:00
hfsplus hfsplus: use -ENOMEM when kzalloc() fails 2012-07-30 17:25:19 -07:00
hostfs don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
hpfs don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
hppfs switch dentry_open() to struct path, make it grab references itself 2012-07-23 00:01:29 +04:00
hugetlbfs don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
isofs Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs 2012-07-24 17:40:44 -07:00
jbd jbd: Check return value of blkdev_issue_flush() 2012-07-09 23:38:36 +02:00
jbd2 jbd2: remove the second argument of kmap_atomic 2012-07-23 14:11:22 +08:00
jffs2 don't expose I_NEW inodes via dentry->d_inode 2012-07-23 00:00:58 +04:00
jfs don't expose I_NEW inodes via dentry->d_inode 2012-07-23 00:00:58 +04:00
lockd Merge branch 'for-3.5' of git://linux-nfs.org/~bfields/linux 2012-06-01 08:32:58 -07:00
logfs VFS: Pass mount flags to sget() 2012-07-14 16:38:34 +04:00
minix minixfs: fix block limit check 2012-07-30 17:25:19 -07:00
ncpfs don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
nfs Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-07-23 12:27:27 -07:00
nfs_common
nfsd switch dentry_open() to struct path, make it grab references itself 2012-07-23 00:01:29 +04:00
nilfs2 nilfs2: add omitted comments for different structures in driver implementation 2012-07-30 17:25:19 -07:00
nls nls: fix (and rename) mac NLS table files and config options 2012-06-01 19:51:22 -07:00
notify switch dentry_open() to struct path, make it grab references itself 2012-07-23 00:01:29 +04:00
ntfs ntfs: remove references to long gone super operations and unimplemented methods 2012-07-30 17:25:11 -07:00
ocfs2 ocfs2: use memweight() 2012-07-30 17:25:16 -07:00
omfs don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
openpromfs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
proc proc: environ_read() make sure offset points to environment address range 2012-07-30 17:25:20 -07:00
pstore pstore/ram: Make tracing log versioned 2012-07-17 16:48:09 -07:00
qnx4 qnx4fs: use memweight() 2012-07-30 17:25:16 -07:00
qnx6 stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
quota Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs 2012-07-24 17:40:44 -07:00
ramfs don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
reiserfs don't expose I_NEW inodes via dentry->d_inode 2012-07-23 00:00:58 +04:00
romfs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
squashfs stop passing nameidata to ->lookup() 2012-07-14 16:34:32 +04:00
sysfs Driver core merge for 3.6-rc1 2012-07-26 11:25:33 -07:00
sysv fs/sysv: stop using write_super and s_dirt 2012-07-22 23:58:12 +04:00
ubifs * Added another debugfs knob for forcing UBIFS R/O mode without flushing caches 2012-07-23 15:50:52 -07:00
udf Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs 2012-07-24 17:40:44 -07:00
ufs fs/ufs: get rid of write_super 2012-07-22 23:58:16 +04:00
xfs Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-07-23 12:27:27 -07:00
aio.c aio: now fput() is OK from interrupt context; get rid of manual delayed __fput() 2012-07-22 23:57:59 +04:00
anon_inodes.c anon_inodes: move allocation of anon_inode into ->mount() 2012-03-20 21:29:45 -04:00
attr.c notify_change(): check that i_mutex is held 2012-07-14 16:35:42 +04:00
bad_inode.c don't pass nameidata to ->create() 2012-07-14 16:34:47 +04:00
binfmt_aout.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
binfmt_elf_fdpic.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
binfmt_elf.c binfmt_elf: switch elf_map() to vm_mmap/vm_munmap 2012-05-30 21:04:55 -04:00
binfmt_em86.c __register_binfmt() made void 2012-03-20 21:29:46 -04:00
binfmt_flat.c binfmt_flat: use vm_munmap, we are missing ->mmap_sem there 2012-05-30 21:04:56 -04:00
binfmt_misc.c vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
binfmt_script.c __register_binfmt() made void 2012-03-20 21:29:46 -04:00
binfmt_som.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
bio-integrity.c fs: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:21 +08:00
bio.c Merge branch 'for-3.5/core' of git://git.kernel.dk/linux-block 2012-05-30 08:52:42 -07:00
block_dev.c vfs: Create function for iterating over block devices 2012-07-22 23:58:45 +04:00
buffer.c block: fix infinite loop in __getblk_slow 2012-07-13 08:36:35 -07:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
compat.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal 2012-06-01 11:53:44 -07:00
dcache.c __d_unalias() should refuse to move mountpoints 2012-07-14 16:35:15 +04:00
dcookies.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
direct-io.c fs/direct-io.c: adjust suspicious bit operation 2012-07-14 16:32:46 +04:00
drop_caches.c
eventfd.c eventfd: change int to __u64 in eventfd_signal() 2012-05-31 17:49:32 -07:00
eventpoll.c PM: Rename CAP_EPOLLWAKEUP to CAP_BLOCK_SUSPEND 2012-07-17 21:37:27 +02:00
exec.c coredump: fix wrong comments on core limits of pipe coredump case 2012-07-30 17:25:20 -07:00
fcntl.c switch fcntl to fget_raw_light/fput_light 2012-05-29 23:28:30 -04:00
fhandle.c
fifo.c fifo: Do not restart open() if it already found a partner 2012-07-16 08:33:14 -07:00
file_table.c switch fput to task_work_add 2012-07-22 23:57:58 +04:00
file.c Merge branch 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-03-29 18:12:23 -07:00
filesystems.c
fs_struct.c get rid of ->mnt_longterm 2012-07-14 16:32:47 +04:00
fs-writeback.c vfs: Move noop_backing_dev_info check from sync into writeback 2012-07-22 23:58:18 +04:00
generic_acl.c
inode.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs 2012-07-26 14:48:55 -07:00
internal.h VFS: Split inode_permission() 2012-07-14 16:38:36 +04:00
ioctl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
ioprio.c Merge branch 'for-3.5/core' of git://git.kernel.dk/linux-block 2012-05-30 08:52:42 -07:00
Kconfig Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
Kconfig.binfmt C6X: add support to build with BINFMT_ELF_FDPIC 2012-05-15 09:17:34 -04:00
libfs.c VFS: Pass mount flags to sget() 2012-07-14 16:38:34 +04:00
locks.c locks: fix checking of fcntl_setlease argument 2012-07-23 12:46:01 -07:00
Makefile fs: initial qnx6fs addition 2012-03-20 21:29:38 -04:00
mbcache.c
mount.h get rid of magic in proc_namespace.c 2012-07-14 16:32:48 +04:00
mpage.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
namei.c tidy up namei.c a bit 2012-07-23 00:00:55 +04:00
namespace.c VFS: Comment mount following code 2012-07-14 16:38:32 +04:00
no-block.c
open.c switch dentry_open() to struct path, make it grab references itself 2012-07-23 00:01:29 +04:00
pipe.c pipe: remove KM_USER0 from comments 2012-07-24 15:27:34 +08:00
pnode.c VFS: Make clone_mnt()/copy_tree()/collect_mounts() return errors 2012-07-14 16:37:27 +04:00
pnode.h
posix_acl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
proc_namespace.c get rid of magic in proc_namespace.c 2012-07-14 16:32:48 +04:00
read_write.c vfs: allow custom EOF in generic_file_llseek code 2012-07-23 00:00:15 +04:00
read_write.h
readdir.c switch readdir/getdents to fget_light/fput_light 2012-05-29 23:28:29 -04:00
select.c posix_types.h: Cleanup stale __NFDBITS and related definitions 2012-07-26 13:36:43 -07:00
seq_file.c seq_file: Add seq_vprintf function and export it 2012-06-11 13:16:35 +01:00
signalfd.c switch signalfd4() to fget_light/fput_light 2012-05-29 23:28:30 -04:00
splice.c splice: fix racy pipe->buffers uses 2012-06-13 21:16:42 +02:00
stack.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
stat.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
statfs.c switch statfs to fget_light/fput_light 2012-05-29 23:28:31 -04:00
super.c VFS: Pass mount flags to sget() 2012-07-14 16:38:34 +04:00
sync.c vfs: Avoid unnecessary WB_SYNC_NONE writeback during sys_sync and reorder sync passes 2012-07-22 23:59:01 +04:00
timerfd.c
utimes.c switch utimes() to fget_light/fput_light 2012-05-29 23:28:32 -04:00
xattr_acl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
xattr.c fs/xattr.c:getxattr(): improve handling of allocation failures 2012-07-30 17:25:11 -07:00