From patchwork Wed Jan 16 18:31:09 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10766719
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 941AD139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed, 16 Jan 2019 18:31:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 861EB2F3D5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed, 16 Jan 2019 18:31:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 845C92F461; Wed, 16 Jan 2019 18:31:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 15F382F3D5
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Wed, 16 Jan 2019 18:31:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728901AbfAPSbM (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Wed, 16 Jan 2019 13:31:12 -0500
Received: from mail-pg1-f196.google.com ([209.85.215.196]:34050 "EHLO
        mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728489AbfAPSbM (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Wed, 16 Jan 2019 13:31:12 -0500
Received: by mail-pg1-f196.google.com with SMTP id j10so3201440pga.1
        for <linux-security-module@vger.kernel.org>;
 Wed, 16 Jan 2019 10:31:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition;
        bh=dHSazQ7qGm2UKIzzWog2IYg+72OPhXPfMJM+TsIBw6g=;
        b=oc+Zg9qcwExCefgBVQow/0OPvZrOxpfIcZvPTxksMyF90W8LF+6GOyjKGCdvgmJ12Q
         jzKxp/kb7S4ZMWNM62beUsxiJfgkAm45XtHaen6iTR4nsvRCWwMMzEDRj4gjL0YGobPw
         hX9u4qUWL0PLptWpT8icrFMYvigBZfY+qLs3Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition;
        bh=dHSazQ7qGm2UKIzzWog2IYg+72OPhXPfMJM+TsIBw6g=;
        b=OjCXHzbkvSukNGQNZ6gmCvXlDZpFAYlI6kozSwWUx2q15txlh62OsbMq00AELuWiuz
         osfCaUYkZgIggFZg9jEdBpZ6v6pCqXJybz3RA0O4cJj+ni5PIcFHtXf4PMDFpRnytoCT
         GapxbK8D7rDJfWJBHK/zwqowqFF9vOuPSx9I+oM4HveRLWQCorV27djcPpocwzod9NLj
         +g92DBKEBePFulz9bfue68Tz9w9Pf0cd4CokNFqRWRf95jBBtaHOz3wrppdcFkRVmUrU
         ZMKq7HK3YfoH/eNRwkP5aMgOnQwCYcOmGk62A8O9QmJfjILK0OAjc9mGYInLLkv2Dr/U
         gCPQ==
X-Gm-Message-State: AJcUukevOEU0Q2/JtRiNaTXhJX7p5kby5c8OYdv+WpTil1x/H+PgYZZm
        K0SdtY81Z0Kze1KjF73xuFSAoA==
X-Google-Smtp-Source: 
 ALg8bN6+uVFaQoD6XHZsdht80UFBlRjUJK3eIohahgUokfNwQYcjryhsNsFyFJut7DcwqlRhK8Fo5A==
X-Received: by 2002:a63:2784:: with SMTP id
 n126mr10315231pgn.48.1547663471587;
        Wed, 16 Jan 2019 10:31:11 -0800 (PST)
Received: from www.outflux.net
 (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
        by smtp.gmail.com with ESMTPSA id
 184sm9071194pfe.106.2019.01.16.10.31.10
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 16 Jan 2019 10:31:10 -0800 (PST)
Date: Wed, 16 Jan 2019 10:31:09 -0800
From: Kees Cook <keescook@chromium.org>
To: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        syzbot <syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com>,
        syzkaller-bugs@googlegroups.com
Subject: [PATCH] Yama: Check for pid death before checking ancestry
Message-ID: <20190116183109.GA21722@beast>
MIME-Version: 1.0
Content-Disposition: inline
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

It's possible that a pid has died before we take the rcu lock, in which
case we can't walk the ancestry list as it may be detached. Instead, check
for death first before doing the walk.

Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
Fixes: 2d514487faf1 ("security: Yama LSM")
Cc: stable@vger.kernel.org
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
James, can you please send this to Linus in your -fixes tree?
---
 security/yama/yama_lsm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index ffda91a4a1aa..02514fe558b4 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -368,7 +368,9 @@ static int yama_ptrace_access_check(struct task_struct *child,
 			break;
 		case YAMA_SCOPE_RELATIONAL:
 			rcu_read_lock();
-			if (!task_is_descendant(current, child) &&
+			if (!pid_alive(child))
+				rc = -EPERM;
+			if (!rc && !task_is_descendant(current, child) &&
 			    !ptracer_exception_found(current, child) &&
 			    !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
 				rc = -EPERM;