sysctl: fix write access to dmesg_restrict/kptr_restrict

commit 620f6e8e855d6d447688a5f67a4e176944a084e8 upstream. Commit bfdc0b4 adds code to restrict access to dmesg_restrict, however, it incorrectly alters kptr_restrict rather than dmesg_restrict. The original patch from Richard Weinberger (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as expected, and so the patch seems to have been misapplied. This adds the CAP_SYS_ADMIN check to both dmesg_restrict and kptr_restrict, since both are sensitive. Reported-by: Phillip Lougher <plougher@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Richard Weinberger <richard@nod.at> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

sysctl: fix write access to dmesg_restrict/kptr_restrict
commit 620f6e8e855d6d447688a5f67a4e176944a084e8 upstream. Commit bfdc0b4 adds code to restrict access to dmesg_restrict, however, it incorrectly alters kptr_restrict rather than dmesg_restrict. The original patch from Richard Weinberger (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as expected, and so the patch seems to have been misapplied. This adds the CAP_SYS_ADMIN check to both dmesg_restrict and kptr_restrict, since both are sensitive. Reported-by: Phillip Lougher <plougher@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Richard Weinberger <richard@nod.at> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kees Cook · Greg Kroah-Hartman
1 parent 9fb1fd7880
Showing 1 changed file with 4 additions and 4 deletions Side-by-side Diff
kernel/sysctl.c
@@ -166,7 +166,7 @@
 #endif
  
 #ifdef CONFIG_PRINTK
-static int proc_dmesg_restrict(struct ctl_table *table, int write,
+static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
 				void __user *buffer, size_t *lenp, loff_t *ppos);
 #endif
  
@@ -713,7 +713,7 @@
 		.data		= &dmesg_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec_minmax,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
 		.extra1		= &zero,
 		.extra2		= &one,
 	},
@@ -722,7 +722,7 @@
 		.data		= &kptr_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dmesg_restrict,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
 		.extra1		= &zero,
 		.extra2		= &two,
 	},
@@ -2431,7 +2431,7 @@
 }
  
 #ifdef CONFIG_PRINTK
-static int proc_dmesg_restrict(struct ctl_table *table, int write,
+static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
 				void __user *buffer, size_t *lenp, loff_t *ppos)
 {
 	if (write && !capable(CAP_SYS_ADMIN))
...	...	@@ -166,7 +166,7 @@
166	166	#endif
167	167
168	168	#ifdef CONFIG_PRINTK
169		-static int proc_dmesg_restrict(struct ctl_table *table, int write,
	169	+static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
170	170	void __user buffer, size_t lenp, loff_t *ppos);
171	171	#endif
172	172
...	...	@@ -713,7 +713,7 @@
713	713	.data = &dmesg_restrict,
714	714	.maxlen = sizeof(int),
715	715	.mode = 0644,
716		- .proc_handler = proc_dointvec_minmax,
	716	+ .proc_handler = proc_dointvec_minmax_sysadmin,
717	717	.extra1 = &zero,
718	718	.extra2 = &one,
719	719	},
...	...	@@ -722,7 +722,7 @@
722	722	.data = &kptr_restrict,
723	723	.maxlen = sizeof(int),
724	724	.mode = 0644,
725		- .proc_handler = proc_dmesg_restrict,
	725	+ .proc_handler = proc_dointvec_minmax_sysadmin,
726	726	.extra1 = &zero,
727	727	.extra2 = &two,
728	728	},
...	...	@@ -2431,7 +2431,7 @@
2431	2431	}
2432	2432
2433	2433	#ifdef CONFIG_PRINTK
2434		-static int proc_dmesg_restrict(struct ctl_table *table, int write,
	2434	+static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
2435	2435	void __user buffer, size_t lenp, loff_t *ppos)
2436	2436	{
2437	2437	if (write && !capable(CAP_SYS_ADMIN))