675998 – /dev/crash does not require CAP_SYS_RAWIO for access

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 675998 - /dev/crash does not require CAP_SYS_RAWIO for access

Summary: /dev/crash does not require CAP_SYS_RAWIO for access

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Dave Anderson
QA Contact:	Jan Tluka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	655920
TreeView+	depends on / blocked

Reported:	2011-02-08 15:04 UTC by Steve Grubb
Modified:	2011-05-19 12:54 UTC (History)
CC List:	6 users (show)
Fixed In Version:	kernel-2.6.32-118.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 12:54:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0542	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 6.1 kernel security, bug fix and enhancement update	2011-05-19 11:58:07 UTC

Description Steve Grubb 2011-02-08 15:04:20 UTC

Description of problem:
The crash kernel module does not check if the calling process has CAP_SYS_RAWIO. Other kernel memory access entry points have that check. For consistency, we should require CAP_SYS_RAWIO in order to allow reading of kernel memory.

Comment 2 Dave Anderson 2011-02-16 18:33:24 UTC

This is the patch:

--- linux-2.6.32-115.el6.bz675998.x86_64/drivers/char/crash.c.orig
+++ linux-2.6.32-115.el6.bz675998.x86_64/drivers/char/crash.c
@@ -32,7 +32,7 @@
 #include <asm/types.h>
 #include <asm/crash.h>
 
-#define CRASH_VERSION   "1.0"
+#define CRASH_VERSION   "1.1"
 
 /*
  *  These are the file operation functions that allow crash utility
@@ -86,10 +86,17 @@ crash_read(struct file *file, char *buf,
 	return read;
 }
 
+static int 
+crash_open(struct inode * inode, struct file * filp)
+{
+        return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
+}
+
 static struct file_operations crash_fops = {
 	.owner = THIS_MODULE,
 	.llseek = crash_llseek,
 	.read = crash_read,
+	.open = crash_open,
 };
 
 static struct miscdevice crash_dev = {
 

And it works OK:

 # crash
 
 crash 5.1.1-1.el6
 Copyright (C) 2002-2010  Red Hat, Inc.
 Copyright (C) 2004, 2005, 2006  IBM Corporation
 Copyright (C) 1999-2006  Hewlett-Packard Co
 Copyright (C) 2005, 2006  Fujitsu Limited
 Copyright (C) 2006, 2007  VA Linux Systems Japan K.K.
 Copyright (C) 2005  NEC Corporation
 Copyright (C) 1999, 2002, 2007  Silicon Graphics, Inc.
 Copyright (C) 1999, 2000, 2001, 2002  Mission Critical Linux, Inc.
 This program is free software, covered by the GNU General Public License,
 and you are welcome to change it and/or distribute copies of it under
 certain conditions.  Enter "help copying" to see the conditions.
 This program has absolutely no warranty.  Enter "help warranty" for details.
  
 GNU gdb (GDB) 7.0
 Copyright (C) 2009 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-unknown-linux-gnu"...
 
       KERNEL: /usr/lib/debug/lib/modules/2.6.32-115.el6.bz675998.x86_64/vmlinux
     DUMPFILE: /dev/crash
         CPUS: 6
         DATE: Wed Feb 16 13:24:11 2011
       UPTIME: 01:51:59
 LOAD AVERAGE: 0.29, 0.08, 0.02
        TASKS: 201
     NODENAME: hp-z400-02.lab.bos.redhat.com
      RELEASE: 2.6.32-115.el6.bz675998.x86_64
      VERSION: #1 SMP Tue Feb 15 14:53:42 EST 2011
      MACHINE: x86_64  (3067 Mhz)
       MEMORY: 4 GB
          PID: 7584
      COMMAND: "crash"
         TASK: ffff88013565e100  [THREAD_INFO: ffff880137802000]
          CPU: 2
        STATE: TASK_RUNNING (ACTIVE)
 
 crash> p crash_fops
 crash_fops = $3 = {
   owner = 0x0, 
   llseek = 0xffffffff81328eb0 <crash_llseek>, 
   read = 0xffffffff81328f00 <crash_read>, 
   write = 0, 
   aio_read = 0, 
   aio_write = 0, 
   readdir = 0, 
   poll = 0, 
   ioctl = 0, 
   unlocked_ioctl = 0, 
   compat_ioctl = 0, 
   mmap = 0, 
   open = 0xffffffff81328ee0 <crash_open>, 
   flush = 0, 
   release = 0, 
   fsync = 0, 
   aio_fsync = 0, 
   fasync = 0, 
   lock = 0, 
   sendpage = 0, 
   get_unmapped_area = 0, 
   check_flags = 0, 
   flock = 0, 
   splice_write = 0, 
   splice_read = 0, 
   setlease = 0
 }
 crash> dis crash_open
 0xffffffff81328ee0 <crash_open>:        push   %rbp
 0xffffffff81328ee1 <crash_open+1>:      mov    %rsp,%rbp
 0xffffffff81328ee4 <crash_open+4>:      nopl   0x0(%rax,%rax,1)
 0xffffffff81328ee9 <crash_open+9>:      mov    $0x11,%edi
 0xffffffff81328eee <crash_open+14>:     callq  0xffffffff81073c30 <capable>
 0xffffffff81328ef3 <crash_open+19>:     cmp    $0x1,%eax
 0xffffffff81328ef6 <crash_open+22>:     leaveq 
 0xffffffff81328ef7 <crash_open+23>:     sbb    %eax,%eax
 0xffffffff81328ef9 <crash_open+25>:     retq   
 0xffffffff81328efa <crash_open+26>:     nopw   0x0(%rax,%rax,1)
 crash>

Comment 4 Aristeu Rozanski 2011-02-23 18:36:43 UTC

Patch(es) available on kernel-2.6.32-118.el6

Comment 8 errata-xmlrpc 2011-05-19 12:54:47 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0542.html

Note You need to log in before you can comment on or make changes to this bug.