From: Andy Lutomirski luto@kernel.org
commit 0a1eb2d474edfe75466be6b4677ad84e5e8ca3f5 upstream.
Reporting these fields on a non-current task is dangerous. If the task is in any state other than normal kernel code, they may contain garbage or even kernel addresses on some architectures. (x86_64 used to do this. I bet lots of architectures still do.) With CONFIG_THREAD_INFO_IN_TASK=y, it can OOPS, too.
As far as I know, there are no use programs that make any material use of these fields, so just get rid of them.
Reported-by: Jann Horn jann@thejh.net Signed-off-by: Andy Lutomirski luto@kernel.org Acked-by: Thomas Gleixner tglx@linutronix.de Cc: Al Viro viro@zeniv.linux.org.uk Cc: Andrew Morton akpm@linux-foundation.org Cc: Borislav Petkov bp@alien8.de Cc: Brian Gerst brgerst@gmail.com Cc: Kees Cook keescook@chromium.org Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Linux API linux-api@vger.kernel.org Cc: Peter Zijlstra peterz@infradead.org Cc: Tetsuo Handa penguin-kernel@i-love.sakura.ne.jp Cc: Tycho Andersen tycho.andersen@canonical.com Link: http://lkml.kernel.org/r/a5fed4c3f4e33ed25d4bb03567e329bc5a712bcc.1475257877... Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/proc/array.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -425,10 +425,11 @@ static int do_task_stat(struct seq_file mm = get_task_mm(task); if (mm) { vsize = task_vsize(mm); - if (permitted) { - eip = KSTK_EIP(task); - esp = KSTK_ESP(task); - } + /* + * esp and eip are intentionally zeroed out. There is no + * non-racy way to read them without freezing the task. + * Programs that need reliable values can use ptrace(2). + */ }
get_task_comm(tcomm, task);