Bug 770648

Summary: kernel: /proc/pid/* information leak
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agordeev, anton, arozansk, bhu, dhoward, fhrbata, jkacur, kernel-mgr, lgoncalv, lwang, plougher, pmatouse, rt-maint, segoon, sforsber, solar, vgoyal, williams, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 13:35:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 770649, 770650, 770651, 770652, 770653, 770654, 782686    
Bug Blocks: 770647    

Description Eugene Teo (Security Response) 2011-12-28 08:59:00 UTC 
/proc/$PID/{sched,schedstat,etc} information leak. demo: http://openwall.com/lists/oss-security/2011/11/05/3 

Solution:
/proc/$pid/* vuln will be fixed in the following patch series by introducing
a restricted procfs permission mode:

[RFC v2 1/3] procfs: parse mount options
https://lkml.org/lkml/2011/11/19/41
[RFC v2 2/3] procfs: add hidepid= and gid= mount options
https://lkml.org/lkml/2011/11/19/42
[PATCH -next] proc: fix task_struct infoleak
https://lkml.org/lkml/2011/12/11/62 (fix for previous patch)
[RFC v2 3/3] procfs: add documentation for procfs mount options
https://lkml.org/lkml/2011/11/19/43

Currently these series are in the -mm tree.

Explanation:
https://lkml.org/lkml/2011/11/19/42

Acknowledgements:

Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Comment 3 Eugene Teo (Security Response) 2012-01-18 07:12:45 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782686]
Comment 4 Josh Boyer 2012-01-18 18:10:00 UTC 
These are in Linus' tree now:

Patch 1 from above:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=97412950b10e64f347aec4a9b759395c2465adf6

Patches 2 and 3 were merged into one, with the additional fix that followed later:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=0499680a42141d86417a8fbaa8c8db806bea1201

And there was a follow on oops fix after that:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=a2ef990ab5a6705a356d146dd773a3b359787497
Comment 5 Vasiliy Kulikov 2012-06-12 09:34:38 UTC 
There is a following fix for initial mounting (instead of remounting):
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=99663be772c827b8f5f594fe87eb4807be1994e5
Comment 7 Vasiliy Kulikov 2012-08-18 21:05:46 UTC 
The bug is still present in -279.5.1.el6.
Comment 8 Petr Matousek 2012-08-20 14:07:47 UTC 
(In reply to comment #7)
> The bug is still present in -279.5.1.el6.

Vasiliy, which bug do you mean? The one you pointed out in comment #5?