restrict reading from /proc/<pid>/maps to those who share ->mm or can ptrace pid
Contents of /proc/*/maps is sensitive and may become sensitive after open() (e.g. if target originally shares our ->mm and later does exec on suid-root binary). Check at read() (actually, ->start() of iterator) time that mm_struct we'd grabbed and locked is - still the ->mm of target - equal to reader's ->mm or the target is ptracable by reader. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Rik van Riel <riel@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Al Viro
Linus Torvalds
@@ -202,6 +202,26 @@ static int proc_root_link(struct inode *inode, struct dentry **dentry, struct vf
|
||||
(task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
|
||||
security_ptrace(current,task) == 0))
|
||||
|
||||
struct mm_struct *mm_for_maps(struct task_struct *task)
|
||||
{
|
||||
struct mm_struct *mm = get_task_mm(task);
|
||||
if (!mm)
|
||||
return NULL;
|
||||
down_read(&mm->mmap_sem);
|
||||
task_lock(task);
|
||||
if (task->mm != mm)
|
||||
goto out;
|
||||
if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
|
||||
goto out;
|
||||
task_unlock(task);
|
||||
return mm;
|
||||
out:
|
||||
task_unlock(task);
|
||||
up_read(&mm->mmap_sem);
|
||||
mmput(mm);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static int proc_pid_cmdline(struct task_struct *task, char * buffer)
|
||||
{
|
||||
int res = 0;
|
||||
|
||||
Reference in New Issue
Block a user