diff options
| author | Aleksa Sarai <cyphar@cyphar.com> | 2023-07-13 17:09:58 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-09-13 10:53:54 +0300 |
| commit | a08eaac6652b4a9e8708f6840c8076bd5b234b4c (patch) | |
| tree | c79bc674c160fee4adfedebaa4c4afcb8edd383a /fs/proc/base.c | |
| parent | f42cee0051db25ab6d0da4348f00729f22b5493f (diff) | |
| download | linux-a08eaac6652b4a9e8708f6840c8076bd5b234b4c.tar.xz | |
procfs: block chmod on /proc/thread-self/comm
commit ccf61486fe1e1a48e18c638d1813cda77b3c0737 upstream.
Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread
cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD,
chmod operations on /proc/thread-self/comm were no longer blocked as
they are on almost all other procfs files.
A very similar situation with /proc/self/environ was used to as a root
exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a
correctness issue.
Ref: https://lwn.net/Articles/191954/
Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files")
Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE")
Cc: stable@vger.kernel.org # v4.7+
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Message-Id: <20230713141001.27046-1-cyphar@cyphar.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/proc/base.c')
| -rw-r--r-- | fs/proc/base.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c index 9df3f4839662..ee4b824658a0 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, } static const struct inode_operations proc_tid_comm_inode_operations = { - .permission = proc_tid_comm_permission, + .setattr = proc_setattr, + .permission = proc_tid_comm_permission, }; /* |