1. 04 Sep, 2017 1 commit
  2. 12 Jul, 2017 1 commit
  3. 05 Jun, 2017 1 commit
  4. 21 Apr, 2017 2 commits
  5. 15 Dec, 2016 1 commit
  6. 21 May, 2016 1 commit
  7. 22 Mar, 2016 1 commit
    • Jann Horn's avatar
      fs/coredump: prevent fsuid=0 dumps into user-controlled directories · 378c6520
      Jann Horn authored
      This commit fixes the following security hole affecting systems where
      all of the following conditions are fulfilled:
       - The fs.suid_dumpable sysctl is set to 2.
       - The kernel.core_pattern sysctl's value starts with "/". (Systems
         where kernel.core_pattern starts with "|/" are not affected.)
       - Unprivileged user namespace creation is permitted. (This is
         true on Linux >=3.8, but some distributions disallow it by
         default using a distro patch.)
      Under these conditions, if a program executes under secure exec rules,
      causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
      namespace, changes its root directory and crashes, the coredump will be
      written using fsuid=0 and a path derived from kernel.core_pattern - but
      this path is interpreted relative to the root directory of the process,
      allowing the attacker to control where a coredump will be written with
      root privileges.
      To fix the security issue, always interpret core_pattern for dumps that
      are written under SUID_DUMP_ROOT relative to the root directory of init.
      Signed-off-by: 's avatarJann Horn <jann@thejh.net>
      Acked-by: 's avatarKees Cook <keescook@chromium.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
  8. 11 Dec, 2014 1 commit
    • Prarit Bhargava's avatar
      kernel: add panic_on_warn · 9e3961a0
      Prarit Bhargava authored
      There have been several times where I have had to rebuild a kernel to
      cause a panic when hitting a WARN() in the code in order to get a crash
      dump from a system.  Sometimes this is easy to do, other times (such as
      in the case of a remote admin) it is not trivial to send new images to
      the user.
      A much easier method would be a switch to change the WARN() over to a
      panic.  This makes debugging easier in that I can now test the actual
      image the WARN() was seen on and I do not have to engage in remote
      This patch adds a panic_on_warn kernel parameter and
      /proc/sys/kernel/panic_on_warn calls panic() in the
      warn_slowpath_common() path.  The function will still print out the
      location of the warning.
      An example of the panic_on_warn output:
      The first line below is from the WARN_ON() to output the WARN_ON()'s
      location.  After that the panic() output is displayed.
          WARNING: CPU: 30 PID: 11698 at /home/prarit/dummy_module/dummy-module.c:25 init_dummy+0x1f/0x30 [dummy_module]()
          Kernel panic - not syncing: panic_on_warn set ...
          CPU: 30 PID: 11698 Comm: insmod Tainted: G        W  OE  3.17.0+ #57
          Hardware name: Intel Corporation S2600CP/S2600CP, BIOS RMLSDP.86I.00.29.D696.1311111329 11/11/2013
           0000000000000000 000000008e3f87df ffff88080f093c38 ffffffff81665190
           0000000000000000 ffffffff818aea3d ffff88080f093cb8 ffffffff8165e2ec
           ffffffff00000008 ffff88080f093cc8 ffff88080f093c68 000000008e3f87df
          Call Trace:
           [<ffffffff81665190>] dump_stack+0x46/0x58
           [<ffffffff8165e2ec>] panic+0xd0/0x204
           [<ffffffffa038e05f>] ? init_dummy+0x1f/0x30 [dummy_module]
           [<ffffffff81076b90>] warn_slowpath_common+0xd0/0xd0
           [<ffffffffa038e040>] ? dummy_greetings+0x40/0x40 [dummy_module]
           [<ffffffff81076c8a>] warn_slowpath_null+0x1a/0x20
           [<ffffffffa038e05f>] init_dummy+0x1f/0x30 [dummy_module]
           [<ffffffff81002144>] do_one_initcall+0xd4/0x210
           [<ffffffff811b52c2>] ? __vunmap+0xc2/0x110
           [<ffffffff810f8889>] load_module+0x16a9/0x1b30
           [<ffffffff810f3d30>] ? store_uevent+0x70/0x70
           [<ffffffff810f49b9>] ? copy_module_from_fd.isra.44+0x129/0x180
           [<ffffffff810f8ec6>] SyS_finit_module+0xa6/0xd0
           [<ffffffff8166cf29>] system_call_fastpath+0x12/0x17
      Successfully tested by me.
      hpa said: There is another very valid use for this: many operators would
      rather a machine shuts down than being potentially compromised either
      functionally or security-wise.
      Signed-off-by: 's avatarPrarit Bhargava <prarit@redhat.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Acked-by: 's avatarYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: Fabian Frederick <fabf@skynet.be>
      Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
  9. 28 Sep, 2014 1 commit
  10. 01 Jul, 2014 1 commit
    • Ben Greear's avatar
      ipv6: Allow accepting RA from local IP addresses. · d9333196
      Ben Greear authored
      This can be used in virtual networking applications, and
      may have other uses as well.  The option is disabled by
      A specific use case is setting up virtual routers, bridges, and
      hosts on a single OS without the use of network namespaces or
      virtual machines.  With proper use of ip rules, routing tables,
      veth interface pairs and/or other virtual interfaces,
      and applications that can bind to interfaces and/or IP addresses,
      it is possibly to create one or more virtual routers with multiple
      hosts attached.  The host interfaces can act as IPv6 systems,
      with radvd running on the ports in the virtual routers.  With the
      option provided in this patch enabled, those hosts can now properly
      obtain IPv6 addresses from the radvd.
      Signed-off-by: 's avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
  11. 13 Nov, 2013 1 commit
  12. 26 Jun, 2013 1 commit
  13. 09 May, 2013 1 commit
  14. 28 Feb, 2013 1 commit
  15. 26 Feb, 2013 1 commit
  16. 05 Feb, 2013 1 commit
  17. 19 Nov, 2012 1 commit
    • Eric W. Biederman's avatar
      pidns: Use task_active_pid_ns where appropriate · 17cf22c3
      Eric W. Biederman authored
      The expressions tsk->nsproxy->pid_ns and task_active_pid_ns
      aka ns_of_pid(task_pid(tsk)) should have the same number of
      cache line misses with the practical difference that
      ns_of_pid(task_pid(tsk)) is released later in a processes life.
      Furthermore by using task_active_pid_ns it becomes trivial
      to write an unshare implementation for the the pid namespace.
      So I have used task_active_pid_ns everywhere I can.
      In fork since the pid has not yet been attached to the
      process I use ns_of_pid, to achieve the same effect.
      Signed-off-by: 's avatarEric W. Biederman <ebiederm@xmission.com>
  18. 01 Aug, 2012 1 commit
  19. 23 Jun, 2012 2 commits
  20. 20 Dec, 2011 1 commit
    • Michel Lespinasse's avatar
      binary_sysctl(): fix memory leak · 3d3c8f93
      Michel Lespinasse authored
      binary_sysctl() calls sysctl_getname() which allocates from names_cache
      slab usin __getname()
      The matching function to free the name is __putname(), and not putname()
      which should be used only to match getname() allocations.
      This is because when auditing is enabled, putname() calls audit_putname
      *instead* (not in addition) to __putname().  Then, if a syscall is in
      progress, audit_putname does not release the name - instead, it expects
      the name to get released when the syscall completes, but that will happen
      only if audit_getname() was called previously, i.e.  if the name was
      allocated with getname() rather than the naked __getname().  So,
      __getname() followed by putname() ends up leaking memory.
      Signed-off-by: 's avatarMichel Lespinasse <walken@google.com>
      Acked-by: 's avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
  21. 03 Oct, 2011 1 commit
  22. 12 Aug, 2011 1 commit
    • Christoph Hellwig's avatar
      xfs: remove subdirectories · c59d87c4
      Christoph Hellwig authored
      Use the move from Linux 2.6 to Linux 3.x as an excuse to kill the
      annoying subdirectories in the XFS source code.  Besides the large
      amount of file rename the only changes are to the Makefile, a few
      files including headers with the subdirectory prefix, and the binary
      sysctl compat code that includes a header under fs/xfs/ from
      Signed-off-by: 's avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: 's avatarAlex Elder <aelder@sgi.com>
  23. 14 Mar, 2011 1 commit
    • Al Viro's avatar
      open-style analog of vfs_path_lookup() · 73d049a4
      Al Viro authored
      new function: file_open_root(dentry, mnt, name, flags) opens the file
      vfs_path_lookup would arrive to.
      Note that name can be empty; in that case the usual requirement that
      dentry should be a directory is lifted.
      open-coded equivalents switched to it, may_open() got down exactly
      one caller and became static.
      Signed-off-by: 's avatarAl Viro <viro@zeniv.linux.org.uk>
  24. 09 Dec, 2010 1 commit
  25. 01 Nov, 2010 1 commit
  26. 25 May, 2010 1 commit
  27. 08 May, 2010 1 commit
  28. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      The script does the followings.
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
      The conversion was done in the following steps.
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
      6. percpu.h was updated not to include slab.h.
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: 's avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: 's avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
  29. 03 Mar, 2010 1 commit
  30. 23 Dec, 2009 1 commit
    • Andi Kleen's avatar
      SYSCTL: Print binary sysctl warnings (nearly) only once · 4440095c
      Andi Kleen authored
      When printing legacy sysctls print the warning message
      for each of them only once.  This way there is a guarantee
      the syslog won't be flooded for any sane program.
      The original attempt at this made the tables non const and stored
      the flag inline.
      Linus suggested using a separate hash table for this, this is based on a
      code snippet from him.
      The hash implies this is not exact and can sometimes not print a
      new sysctl due to a hash collision, but in practice this should not
      be a problem
      I used a FNV32 hash over the binary string with a 32byte bitmap. This
      gives relatively little collisions when all the predefined binary sysctls
      are hashed:
      size 256
      length      number
      0:          [25]
      1:          [67]
      2:          [88]
      3:          [47]
      4:          [22]
      5:          [6]
      6:          [1]
      The worst case is a single collision of 6 hash values.
      Signed-off-by: 's avatarAndi Kleen <ak@linux.intel.com>
  31. 16 Dec, 2009 1 commit
  32. 12 Nov, 2009 3 commits
  33. 11 Nov, 2009 1 commit
    • Eric W. Biederman's avatar
      sysctl: Reduce sys_sysctl to a compatibility wrapper around /proc/sys · 26a7034b
      Eric W. Biederman authored
      To simply maintenance and to be able to remove all of the binary
      sysctl support from various subsystems I have rewritten the binary
      sysctl code as a compatibility wrapper around proc/sys.
      The code is built around a hard coded table based on the table
      in sysctl_check.c that lists all of our current binary sysctls
      and provides enough information to convert from the sysctl
      binary input into into ascii and back again.  New in this
      patch is the realization that the only dynamic entries
      that need to be handled have ifname as the asscii string
      and ifindex as their ctl_name.
      When a sys_sysctl is called the code now looks in the
      translation table converting the binary name to the
      path under /proc where the value is to be found.  Opens
      that file, and calls into a format conversion wrapper
      that calls fop->read and then fop->write as appropriate.
      Since in practice the practically no one uses or tests
      sys_sysctl rewritting the code to be beautiful is a little
      silly.  The redeeming merit of this work is it allows us to
      rip out all of the binary sysctl syscall support from
      everywhere else in the tree.  Allowing us to remove
      a lot of dead (after this patch) and barely maintained code.
      In addition it becomes much easier to optimize the sysctl
      implementation for being the backing store of /proc/sys,
      without having to worry about sys_sysctl.
      Signed-off-by: 's avatarEric W. Biederman <ebiederm@xmission.com>
  34. 06 Nov, 2009 3 commits
    • Eric W. Biederman's avatar
      sysctl: Make do_sysctl static · 642c6d94
      Eric W. Biederman authored
      Now that all of the architectures use compat_sys_sysctl do_sysctl
      can become static.
      Signed-off-by: 's avatarEric W. Biederman <ebiederm@xmission.com>
    • Eric W. Biederman's avatar
      sysctl: Introduce a generic compat sysctl sysctl · da3f6f9b
      Eric W. Biederman authored
      This uses compat_alloc_userspace to remove the various
      hacks to allow do_sysctl to write to throuh oldlenp.
      The rest of our mature compat syscall helper facitilies
      are used as well to ensure we have a nice clean maintainable
      compat syscall that can be used on all architectures.
      The motiviation for a generic compat sysctl (besides the
      obvious hack removal) is to reduce the number of compat
      sysctl defintions out there so I can refactor the
      binary sysctl implementation.
      ppc already used the name compat_sys_sysctl so I remove the
      ppcs version here.
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Acked-by: 's avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: 's avatarEric W. Biederman <ebiederm@xmission.com>
    • Eric W. Biederman's avatar
      sysctl: Refactor the binary sysctl handling to remove duplicate code · 2830b683
      Eric W. Biederman authored
      Read in the binary sysctl path once, instead of reread it
      from user space each time the code needs to access a path
      The deprecated sysctl warning is moved to do_sysctl so
      that the compat_sysctl entries syscalls will also warn.
      The return of -ENOSYS when !CONFIG_SYSCTL_SYSCALL is moved
      to binary_sysctl.  Always leaving a do_sysctl available
      that handles !CONFIG_SYSCTL_SYSCALL and printing the
      deprecated sysctl warning allows for a single defitition
      of the sysctl syscall.
      Signed-off-by: 's avatarEric W. Biederman <ebiederm@xmission.com>