<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/fs/proc/base.c, branch linux-2.6.29.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-2.6.29.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-2.6.29.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2009-05-08T22:45:09+00:00</updated>
<entry>
<title>proc: avoid information leaks to non-privileged processes</title>
<updated>2009-05-08T22:45:09+00:00</updated>
<author>
<name>Jake Edge</name>
<email>jake@lwn.net</email>
</author>
<published>2009-05-04T18:51:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=334ed22054b2ec8477e4409e214fc139cf937ef6'/>
<id>urn:sha1:334ed22054b2ec8477e4409e214fc139cf937ef6</id>
<content type='text'>
commit f83ce3e6b02d5e48b3a43b001390e2b58820389d upstream.

By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
only allow processes that can ptrace() a given process to see information
that might be used to bypass address space layout randomization (ASLR).
These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
as the non-symbolic output from /proc/pid/wchan.

ASLR can be bypassed by sampling eip as shown by the proof-of-concept
code at http://code.google.com/p/fuzzyaslr/ As part of a presentation
(http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were
also noted as possibly usable information leaks as well.  The
start_stack address also leaks potentially useful information.

Cc: Stable Team &lt;stable@kernel.org&gt;
Signed-off-by: Jake Edge &lt;jake@lwn.net&gt;
Acked-by: Arjan van de Ven &lt;arjan@linux.intel.com&gt;
Acked-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>fix setuid sometimes wouldn't</title>
<updated>2009-05-08T22:45:06+00:00</updated>
<author>
<name>Hugh Dickins</name>
<email>hugh@veritas.com</email>
</author>
<published>2009-03-28T23:21:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6560e7a44e83e8dd111c64e3ed77ad08d2550e23'/>
<id>urn:sha1:6560e7a44e83e8dd111c64e3ed77ad08d2550e23</id>
<content type='text'>
commit 7c2c7d993044cddc5010f6f429b100c63bc7dffb upstream.

check_unsafe_exec() also notes whether the fs_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/&lt;pid&gt;/cwd and /proc/&lt;pid&gt;/root lookups make transient
use of get_fs_struct(), which also raises that sharing count.

This might occasionally cause a setuid program not to change euid,
in the same way as happened with files-&gt;count (check_unsafe_exec
also looks at sighand-&gt;count, but /proc doesn't raise that one).

We'd prefer exec not to unshare fs_struct: so fix this in procfs,
replacing get_fs_struct() by get_fs_path(), which does path_get
while still holding task_lock, instead of raising fs-&gt;count.

Signed-off-by: Hugh Dickins &lt;hugh@veritas.com&gt;
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>Avoid 64-bit "switch()" statements on 32-bit architectures</title>
<updated>2009-03-17T17:02:35+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2009-03-17T17:02:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ee568b25ee9e160b32d1aef73d8b2ee9c05d34db'/>
<id>urn:sha1:ee568b25ee9e160b32d1aef73d8b2ee9c05d34db</id>
<content type='text'>
Commit ee6f779b9e0851e2f7da292a9f58e0095edf615a ("filp-&gt;f_pos not
correctly updated in proc_task_readdir") changed the proc code to use
filp-&gt;f_pos directly, rather than through a temporary variable.  In the
process, that caused the operations to be done on the full 64 bits, even
though the offset is never that big.

That's all fine and dandy per se, but for some unfathomable reason gcc
generates absolutely horrid code when using 64-bit values in switch()
statements.  To the point of actually calling out to gcc helper
functions like __cmpdi2 rather than just doing the trivial comparisons
directly the way gcc does for normal compares.  At which point we get
link failures, because we really don't want to support that kind of
crazy code.

Fix this by just casting the f_pos value to "unsigned long", which
is plenty big enough for /proc, and avoids the gcc code generation issue.

Reported-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Cc: Zhang Le &lt;r0bertz@gentoo.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>filp-&gt;f_pos not correctly updated in proc_task_readdir</title>
<updated>2009-03-16T14:51:33+00:00</updated>
<author>
<name>Zhang Le</name>
<email>r0bertz@gentoo.org</email>
</author>
<published>2009-03-16T06:44:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ee6f779b9e0851e2f7da292a9f58e0095edf615a'/>
<id>urn:sha1:ee6f779b9e0851e2f7da292a9f58e0095edf615a</id>
<content type='text'>
filp-&gt;f_pos only get updated at the end of the function. Thus d_off of those
dirents who are in the middle will be 0, and this will cause a problem in
glibc's readdir implementation, specifically endless loop. Because when overflow
occurs, f_pos will be set to next dirent to read, however it will be 0, unless
the next one is the last one. So it will start over again and again.

There is a sample program in man 2 gendents. This is the output of the program
running on a multithread program's task dir before this patch is applied:

  $ ./a.out /proc/3807/task
  --------------- nread=128 ---------------
  i-node#  file type  d_reclen  d_off   d_name
    506442  directory    16          1  .
    506441  directory    16          0  ..
    506443  directory    16          0  3807
    506444  directory    16          0  3809
    506445  directory    16          0  3812
    506446  directory    16          0  3861
    506447  directory    16          0  3862
    506448  directory    16          8  3863

This is the output after this patch is applied

  $ ./a.out /proc/3807/task
  --------------- nread=128 ---------------
  i-node#  file type  d_reclen  d_off   d_name
    506442  directory    16          1  .
    506441  directory    16          2  ..
    506443  directory    16          3  3807
    506444  directory    16          4  3809
    506445  directory    16          5  3812
    506446  directory    16          6  3861
    506447  directory    16          7  3862
    506448  directory    16          8  3863

Signed-off-by: Zhang Le &lt;r0bertz@gentoo.org&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>Merge branch 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/adobriyan/proc</title>
<updated>2009-01-07T20:01:06+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2009-01-07T20:01:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a0c9f240a992c4c2b6ac40324ece27475cf3b71a'/>
<id>urn:sha1:a0c9f240a992c4c2b6ac40324ece27475cf3b71a</id>
<content type='text'>
* 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/adobriyan/proc:
  proc: remove write-only variable in proc_pident_lookup()
  proc: fix sparse warning
  proc: add /proc/*/stack
  proc: remove '##' usage
  proc: remove useless WARN_ONs
  proc: stop using BKL
</content>
</entry>
<entry>
<title>zero i_uid/i_gid on inode allocation</title>
<updated>2009-01-05T16:54:28+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2008-12-09T14:34:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=56ff5efad96182f4d3cb3dc6b07396762c658f16'/>
<id>urn:sha1:56ff5efad96182f4d3cb3dc6b07396762c658f16</id>
<content type='text'>
... and don't bother in callers.  Don't bother with zeroing i_blocks,
while we are at it - it's already been zeroed.

i_mode is not worth the effort; it has no common default value.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
</entry>
<entry>
<title>proc: remove write-only variable in proc_pident_lookup()</title>
<updated>2009-01-05T09:27:45+00:00</updated>
<author>
<name>WANG Cong</name>
<email>wangcong@zeuux.org</email>
</author>
<published>2008-12-30T16:10:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=230e40fbda242544389a5428a2efac568178ddfe'/>
<id>urn:sha1:230e40fbda242544389a5428a2efac568178ddfe</id>
<content type='text'>
Signed-off-by: WANG Cong &lt;wangcong@zeuux.org&gt;
Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
</content>
</entry>
<entry>
<title>proc: fix sparse warning</title>
<updated>2009-01-05T09:27:45+00:00</updated>
<author>
<name>Hannes Eder</name>
<email>hannes@hanneseder.net</email>
</author>
<published>2008-12-30T15:49:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=dfe6b7d9406c631d697f8bbe1eae5569b808154f'/>
<id>urn:sha1:dfe6b7d9406c631d697f8bbe1eae5569b808154f</id>
<content type='text'>
fs/proc/base.c:312:4: warning: do-while statement is not a compound statement

Signed-off-by: Hannes Eder &lt;hannes@hanneseder.net&gt;
Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
</content>
</entry>
<entry>
<title>proc: add /proc/*/stack</title>
<updated>2009-01-05T09:27:44+00:00</updated>
<author>
<name>Ken Chen</name>
<email>kenchen@google.com</email>
</author>
<published>2008-11-10T08:26:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2ec220e27f5040aec1e88901c1b6ea3d135787ad'/>
<id>urn:sha1:2ec220e27f5040aec1e88901c1b6ea3d135787ad</id>
<content type='text'>
/proc/*/stack adds the ability to query a task's stack trace. It is more
useful than /proc/*/wchan as it provides full stack trace instead of single
depth. Example output:

	$ cat /proc/self/stack
	[&lt;c010a271&gt;] save_stack_trace_tsk+0x17/0x35
	[&lt;c01827b4&gt;] proc_pid_stack+0x4a/0x76
	[&lt;c018312d&gt;] proc_single_show+0x4a/0x5e
	[&lt;c016bdec&gt;] seq_read+0xf3/0x29f
	[&lt;c015a004&gt;] vfs_read+0x6d/0x91
	[&lt;c015a0c1&gt;] sys_read+0x3b/0x60
	[&lt;c0102eda&gt;] syscall_call+0x7/0xb
	[&lt;ffffffff&gt;] 0xffffffff

[add save_stack_trace_tsk() on mips, ACK Ralf --adobriyan]
Signed-off-by: Ken Chen &lt;kenchen@google.com&gt;
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
</content>
</entry>
<entry>
<title>proc: remove '##' usage</title>
<updated>2009-01-05T09:27:44+00:00</updated>
<author>
<name>Alexey Dobriyan</name>
<email>adobriyan@gmail.com</email>
</author>
<published>2008-11-09T22:32:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=631f9c1868b970197747c80fc5168ad7d9fd5d53'/>
<id>urn:sha1:631f9c1868b970197747c80fc5168ad7d9fd5d53</id>
<content type='text'>
Inability to jump to /proc/*/foo handlers with ctags is annoying.

Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
</content>
</entry>
</feed>
