From patchwork Sun Sep 18 15:05:14 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 9337915 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 97A2D601C2 for ; Sun, 18 Sep 2016 15:05:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8B19A28CEB for ; Sun, 18 Sep 2016 15:05:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8001A28CEE; Sun, 18 Sep 2016 15:05:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 205C428CEB for ; Sun, 18 Sep 2016 15:05:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936276AbcIRPFo (ORCPT ); Sun, 18 Sep 2016 11:05:44 -0400 Received: from thejh.net ([37.221.195.125]:46333 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S936003AbcIRPFg (ORCPT ); Sun, 18 Sep 2016 11:05:36 -0400 Received: from pc.thejh.net (pc.vpn [192.168.44.2]) by thejh.net (Postfix) with ESMTPSA id 3BEFF1826AD; Sun, 18 Sep 2016 17:05:34 +0200 (CEST) From: Jann Horn To: Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise Cc: linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Subject: [PATCH 6/9] ptrace: warn on ptrace_may_access without proper locking Date: Sun, 18 Sep 2016 17:05:14 +0200 Message-Id: <1474211117-16674-7-git-send-email-jann@thejh.net> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1474211117-16674-1-git-send-email-jann@thejh.net> References: <1474211117-16674-1-git-send-email-jann@thejh.net> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If neither of those locks is taken during a ptrace_may_access() call, that is a strong indicator for a security bug where post-execve process properties can be leaked by racing with execve(). Signed-off-by: Jann Horn --- kernel/ptrace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index dc7594a..b311ca5 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -224,6 +224,9 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode, kuid_t caller_uid; kgid_t caller_gid; + WARN_ON(!mutex_is_locked(&task->signal->cred_guard_mutex) && + !mutex_is_locked(&task->signal->cred_guard_light)); + if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); return -EPERM;