From Linus' patch:
"Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very robust, and it also doesn't match the permission checking of any of the other related files.
This changes it to do the permission checks at open time, and instead of tracking the process, it tracks the VM at the time of the open. That simplifies the code a lot, but does mean that if you hold the file descriptor open over an execve(), you'll continue to read from the _old_ VM."
A local, unprivileged user could use this flaw to escalate their privileges.
From Linus' patch:
"Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very robust, and it also doesn't match the permission checking of any of the other related files.
This changes it to do the permission checks at open time, and instead of tracking the process, it tracks the VM at the time of the open. That simplifies the code a lot, but does mean that if you hold the file descriptor open over an execve(), you'll continue to read from the _old_ VM."
A local, unprivileged user could use this flaw to escalate their privileges.
Upstream commit: git.kernel. org/linus/ e268337dfe26dfc 7efd422a804dbb2 7977a3cccc
http://
Acknowledgements:
Red Hat would like to thank Jüri Aedla for reporting this issue.