Red Hat Bugzilla – Bug 675998
/dev/crash does not require CAP_SYS_RAWIO for access
Last modified: 2011-05-19 08:54:47 EDT
Description of problem: The crash kernel module does not check if the calling process has CAP_SYS_RAWIO. Other kernel memory access entry points have that check. For consistency, we should require CAP_SYS_RAWIO in order to allow reading of kernel memory.
This is the patch: --- linux-2.6.32-115.el6.bz675998.x86_64/drivers/char/crash.c.orig +++ linux-2.6.32-115.el6.bz675998.x86_64/drivers/char/crash.c @@ -32,7 +32,7 @@ #include <asm/types.h> #include <asm/crash.h> -#define CRASH_VERSION "1.0" +#define CRASH_VERSION "1.1" /* * These are the file operation functions that allow crash utility @@ -86,10 +86,17 @@ crash_read(struct file *file, char *buf, return read; } +static int +crash_open(struct inode * inode, struct file * filp) +{ + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; +} + static struct file_operations crash_fops = { .owner = THIS_MODULE, .llseek = crash_llseek, .read = crash_read, + .open = crash_open, }; static struct miscdevice crash_dev = { And it works OK: # crash crash 5.1.1-1.el6 Copyright (C) 2002-2010 Red Hat, Inc. Copyright (C) 2004, 2005, 2006 IBM Corporation Copyright (C) 1999-2006 Hewlett-Packard Co Copyright (C) 2005, 2006 Fujitsu Limited Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. Copyright (C) 2005 NEC Corporation Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. This program is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Enter "help copying" to see the conditions. This program has absolutely no warranty. Enter "help warranty" for details. GNU gdb (GDB) 7.0 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-unknown-linux-gnu"... KERNEL: /usr/lib/debug/lib/modules/2.6.32-115.el6.bz675998.x86_64/vmlinux DUMPFILE: /dev/crash CPUS: 6 DATE: Wed Feb 16 13:24:11 2011 UPTIME: 01:51:59 LOAD AVERAGE: 0.29, 0.08, 0.02 TASKS: 201 NODENAME: hp-z400-02.lab.bos.redhat.com RELEASE: 2.6.32-115.el6.bz675998.x86_64 VERSION: #1 SMP Tue Feb 15 14:53:42 EST 2011 MACHINE: x86_64 (3067 Mhz) MEMORY: 4 GB PID: 7584 COMMAND: "crash" TASK: ffff88013565e100 [THREAD_INFO: ffff880137802000] CPU: 2 STATE: TASK_RUNNING (ACTIVE) crash> p crash_fops crash_fops = $3 = { owner = 0x0, llseek = 0xffffffff81328eb0 <crash_llseek>, read = 0xffffffff81328f00 <crash_read>, write = 0, aio_read = 0, aio_write = 0, readdir = 0, poll = 0, ioctl = 0, unlocked_ioctl = 0, compat_ioctl = 0, mmap = 0, open = 0xffffffff81328ee0 <crash_open>, flush = 0, release = 0, fsync = 0, aio_fsync = 0, fasync = 0, lock = 0, sendpage = 0, get_unmapped_area = 0, check_flags = 0, flock = 0, splice_write = 0, splice_read = 0, setlease = 0 } crash> dis crash_open 0xffffffff81328ee0 <crash_open>: push %rbp 0xffffffff81328ee1 <crash_open+1>: mov %rsp,%rbp 0xffffffff81328ee4 <crash_open+4>: nopl 0x0(%rax,%rax,1) 0xffffffff81328ee9 <crash_open+9>: mov $0x11,%edi 0xffffffff81328eee <crash_open+14>: callq 0xffffffff81073c30 <capable> 0xffffffff81328ef3 <crash_open+19>: cmp $0x1,%eax 0xffffffff81328ef6 <crash_open+22>: leaveq 0xffffffff81328ef7 <crash_open+23>: sbb %eax,%eax 0xffffffff81328ef9 <crash_open+25>: retq 0xffffffff81328efa <crash_open+26>: nopw 0x0(%rax,%rax,1) crash>
Patch(es) available on kernel-2.6.32-118.el6
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0542.html