Bug 675998

Summary: /dev/crash does not require CAP_SYS_RAWIO for access
Product: Red Hat Enterprise Linux 6 Reporter: Steve Grubb <sgrubb>
Component: kernelAssignee: Dave Anderson <anderson>
Status: CLOSED ERRATA QA Contact: Jan Tluka <jtluka>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: bsarathy, eparis, mzywusko, ohudlick, phan, snagar
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-2.6.32-118.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:54:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 655920    

Description Steve Grubb 2011-02-08 15:04:20 UTC 
Description of problem:
The crash kernel module does not check if the calling process has CAP_SYS_RAWIO. Other kernel memory access entry points have that check. For consistency, we should require CAP_SYS_RAWIO in order to allow reading of kernel memory.
Comment 2 Dave Anderson 2011-02-16 18:33:24 UTC 
This is the patch:

--- linux-2.6.32-115.el6.bz675998.x86_64/drivers/char/crash.c.orig
+++ linux-2.6.32-115.el6.bz675998.x86_64/drivers/char/crash.c
@@ -32,7 +32,7 @@
 #include <asm/types.h>
 #include <asm/crash.h>
 
-#define CRASH_VERSION   "1.0"
+#define CRASH_VERSION   "1.1"
 
 /*
  *  These are the file operation functions that allow crash utility
@@ -86,10 +86,17 @@ crash_read(struct file *file, char *buf,
 	return read;
 }
 
+static int 
+crash_open(struct inode * inode, struct file * filp)
+{
+        return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
+}
+
 static struct file_operations crash_fops = {
 	.owner = THIS_MODULE,
 	.llseek = crash_llseek,
 	.read = crash_read,
+	.open = crash_open,
 };
 
 static struct miscdevice crash_dev = {
 

And it works OK:

 # crash
 
 crash 5.1.1-1.el6
 Copyright (C) 2002-2010  Red Hat, Inc.
 Copyright (C) 2004, 2005, 2006  IBM Corporation
 Copyright (C) 1999-2006  Hewlett-Packard Co
 Copyright (C) 2005, 2006  Fujitsu Limited
 Copyright (C) 2006, 2007  VA Linux Systems Japan K.K.
 Copyright (C) 2005  NEC Corporation
 Copyright (C) 1999, 2002, 2007  Silicon Graphics, Inc.
 Copyright (C) 1999, 2000, 2001, 2002  Mission Critical Linux, Inc.
 This program is free software, covered by the GNU General Public License,
 and you are welcome to change it and/or distribute copies of it under
 certain conditions.  Enter "help copying" to see the conditions.
 This program has absolutely no warranty.  Enter "help warranty" for details.
  
 GNU gdb (GDB) 7.0
 Copyright (C) 2009 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-unknown-linux-gnu"...
 
       KERNEL: /usr/lib/debug/lib/modules/2.6.32-115.el6.bz675998.x86_64/vmlinux
     DUMPFILE: /dev/crash
         CPUS: 6
         DATE: Wed Feb 16 13:24:11 2011
       UPTIME: 01:51:59
 LOAD AVERAGE: 0.29, 0.08, 0.02
        TASKS: 201
     NODENAME: hp-z400-02.lab.bos.redhat.com
      RELEASE: 2.6.32-115.el6.bz675998.x86_64
      VERSION: #1 SMP Tue Feb 15 14:53:42 EST 2011
      MACHINE: x86_64  (3067 Mhz)
       MEMORY: 4 GB
          PID: 7584
      COMMAND: "crash"
         TASK: ffff88013565e100  [THREAD_INFO: ffff880137802000]
          CPU: 2
        STATE: TASK_RUNNING (ACTIVE)
 
 crash> p crash_fops
 crash_fops = $3 = {
   owner = 0x0, 
   llseek = 0xffffffff81328eb0 <crash_llseek>, 
   read = 0xffffffff81328f00 <crash_read>, 
   write = 0, 
   aio_read = 0, 
   aio_write = 0, 
   readdir = 0, 
   poll = 0, 
   ioctl = 0, 
   unlocked_ioctl = 0, 
   compat_ioctl = 0, 
   mmap = 0, 
   open = 0xffffffff81328ee0 <crash_open>, 
   flush = 0, 
   release = 0, 
   fsync = 0, 
   aio_fsync = 0, 
   fasync = 0, 
   lock = 0, 
   sendpage = 0, 
   get_unmapped_area = 0, 
   check_flags = 0, 
   flock = 0, 
   splice_write = 0, 
   splice_read = 0, 
   setlease = 0
 }
 crash> dis crash_open
 0xffffffff81328ee0 <crash_open>:        push   %rbp
 0xffffffff81328ee1 <crash_open+1>:      mov    %rsp,%rbp
 0xffffffff81328ee4 <crash_open+4>:      nopl   0x0(%rax,%rax,1)
 0xffffffff81328ee9 <crash_open+9>:      mov    $0x11,%edi
 0xffffffff81328eee <crash_open+14>:     callq  0xffffffff81073c30 <capable>
 0xffffffff81328ef3 <crash_open+19>:     cmp    $0x1,%eax
 0xffffffff81328ef6 <crash_open+22>:     leaveq 
 0xffffffff81328ef7 <crash_open+23>:     sbb    %eax,%eax
 0xffffffff81328ef9 <crash_open+25>:     retq   
 0xffffffff81328efa <crash_open+26>:     nopw   0x0(%rax,%rax,1)
 crash>
Comment 4 Aristeu Rozanski 2011-02-23 18:36:43 UTC 
Patch(es) available on kernel-2.6.32-118.el6
Comment 8 errata-xmlrpc 2011-05-19 12:54:47 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0542.html