fs/proc/array.c: make safe access to group_leader
authorAdrian Salido <salidoa@google.com>
Mon, 16 Jan 2017 11:56:05 +0000 (16:56 +0530)
committerManish Tuteja <mtuteja@nvidia.com>
Wed, 1 Mar 2017 00:37:10 +0000 (16:37 -0800)
commit7a6394a97b38d484e09272d56ef876a8784e8392
tree569570f7dca46759497ad32d3622ae4612ed8907
parent055313cc4c60fa430f904ac342a97099be269d5d
fs/proc/array.c: make safe access to group_leader

As mentioned in commit 52ee2dfdd4f51cf422ea6a96a0846dc94244aa37
("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns
helpers used to be buggy. The commit addresses most of the helpers but
is missing task_tgid_xxx()

Without this protection there is a possible use after free reported by
kasan instrumented kernel:

==================================================================
BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr ***
Read of size 8 by task cat/2472
CPU: 1 PID: 2472 Comm: cat Tainted: ****
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c
[<ffffffc00020aec0>] show_stack+0x18/0x24
[<ffffffc0011573d0>] dump_stack+0x94/0x100
[<ffffffc0003c7dc0>] kasan_report+0x308/0x554
[<ffffffc0003c7518>] __asan_load8+0x20/0x7c
[<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44
[<ffffffc00046951c>] proc_pid_status+0x444/0x1080
[<ffffffc000460f60>] proc_single_show+0x8c/0xdc
[<ffffffc0004081b0>] seq_read+0x2e8/0x6f0
[<ffffffc0003d1420>] vfs_read+0xd8/0x1e0
[<ffffffc0003d1b98>] SyS_read+0x68/0xd4

Accessing group_leader while holding rcu_lock and using the now safe
helpers introduced in the commit mentioned, this race condition is
addressed.

Bug: 31495866
Bug 1858126
CVE-2017-0427 (A-31495866)

Signed-off-by: Adrian Salido <salidoa@google.com>
Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285902
(cherry picked from commit 3367b633042dcc778642f95cd0b3acd6c3a0a0fe)
Reviewed-on: http://git-master/r/1299523
(cherry picked from commit d6b8dd489f260d69473e03609b2ac637a3a75201)
Reviewed-on: http://git-master/r/1311423
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
fs/proc/array.c