tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull ptrace fixes from Eric Biederman:
"This is just two very minor fixes:

- prevent ptrace from reading unitialized kernel memory found twice
by syzkaller

- restore a missing smp_rmb in ptrace_may_access and add comment tp
it so it is not removed by accident again.

Apologies for being a little slow about getting this to you, I am
still figuring out how to develop with a little baby in the house"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
ptrace: restore smp_rmb() in __ptrace_may_access()
signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO

Linus Torvalds aa723548 4d8f5f91

+27 -2
+9
kernel/cred.c
··· 446 446 if (task->mm) 447 447 set_dumpable(task->mm, suid_dumpable); 448 448 task->pdeath_signal = 0; 449 + /* 450 + * If a task drops privileges and becomes nondumpable, 451 + * the dumpability change must become visible before 452 + * the credential change; otherwise, a __ptrace_may_access() 453 + * racing with this change may be able to attach to a task it 454 + * shouldn't be able to attach to (as if the task had dropped 455 + * privileges without becoming nondumpable). 456 + * Pairs with a read barrier in __ptrace_may_access(). 457 + */ 449 458 smp_wmb(); 450 459 } 451 460
+18 -2
kernel/ptrace.c
··· 324 324 return -EPERM; 325 325 ok: 326 326 rcu_read_unlock(); 327 + /* 328 + * If a task drops privileges and becomes nondumpable (through a syscall 329 + * like setresuid()) while we are trying to access it, we must ensure 330 + * that the dumpability is read after the credentials; otherwise, 331 + * we may be able to attach to a task that we shouldn't be able to 332 + * attach to (as if the task had dropped privileges without becoming 333 + * nondumpable). 334 + * Pairs with a write barrier in commit_creds(). 335 + */ 336 + smp_rmb(); 327 337 mm = task->mm; 328 338 if (mm && 329 339 ((get_dumpable(mm) != SUID_DUMP_USER) && ··· 715 705 if (arg.nr < 0) 716 706 return -EINVAL; 717 707 708 + /* Ensure arg.off fits in an unsigned long */ 709 + if (arg.off > ULONG_MAX) 710 + return 0; 711 + 718 712 if (arg.flags & PTRACE_PEEKSIGINFO_SHARED) 719 713 pending = &child->signal->shared_pending; 720 714 else ··· 726 712 727 713 for (i = 0; i < arg.nr; ) { 728 714 kernel_siginfo_t info; 729 - s32 off = arg.off + i; 715 + unsigned long off = arg.off + i; 716 + bool found = false; 730 717 731 718 spin_lock_irq(&child->sighand->siglock); 732 719 list_for_each_entry(q, &pending->list, list) { 733 720 if (!off--) { 721 + found = true; 734 722 copy_siginfo(&info, &q->info); 735 723 break; 736 724 } 737 725 } 738 726 spin_unlock_irq(&child->sighand->siglock); 739 727 740 - if (off >= 0) /* beyond the end of the list */ 728 + if (!found) /* beyond the end of the list */ 741 729 break; 742 730 743 731 #ifdef CONFIG_COMPAT