• Jann Horn's avatar
    ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME · 6994eefb
    Jann Horn authored
    Fix two issues:
    
    When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
    reference to the parent's objective credentials, then give that pointer
    to get_cred().  However, the object lifetime rules for things like
    struct cred do not permit unconditionally turning an RCU reference into
    a stable reference.
    
    PTRACE_TRACEME records the parent's credentials as if the parent was
    acting as the subject, but that's not the case.  If a malicious
    unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
    at a later point, the parent process becomes attacker-controlled
    (because it drops privileges and calls execve()), the attacker ends up
    with control over two processes with a privileged ptrace relationship,
    which can be abused to ptrace a suid binary and obtain root privileges.
    
    Fix both of these by always recording the credentials of the process
    that is requesting the creation of the ptrace relationship:
    current_cred() can't change under us, and current is the proper subject
    for access control.
    
    This change is theoretically userspace-visible, but I am not aware of
    any code that it will actually break.
    
    Fixes: 64b875f7 ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
    Signed-off-by: 's avatarJann Horn <jannh@google.com>
    Acked-by: 's avatarOleg Nesterov <oleg@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
    6994eefb
Name
Last commit
Last update
..
bpf Loading commit data...
cgroup Loading commit data...
configs Loading commit data...
debug Loading commit data...
dma Loading commit data...
events Loading commit data...
gcov Loading commit data...
irq Loading commit data...
livepatch Loading commit data...
locking Loading commit data...
power Loading commit data...
printk Loading commit data...
rcu Loading commit data...
sched Loading commit data...
time Loading commit data...
trace Loading commit data...
.gitignore Loading commit data...
Kconfig.freezer Loading commit data...
Kconfig.hz Loading commit data...
Kconfig.locks Loading commit data...
Kconfig.preempt Loading commit data...
Makefile Loading commit data...
acct.c Loading commit data...
async.c Loading commit data...
audit.c Loading commit data...
audit.h Loading commit data...
audit_fsnotify.c Loading commit data...
audit_tree.c Loading commit data...
audit_watch.c Loading commit data...
auditfilter.c Loading commit data...
auditsc.c Loading commit data...
backtracetest.c Loading commit data...
bounds.c Loading commit data...
capability.c Loading commit data...
compat.c Loading commit data...
configs.c Loading commit data...
context_tracking.c Loading commit data...
cpu.c Loading commit data...
cpu_pm.c Loading commit data...
crash_core.c Loading commit data...
crash_dump.c Loading commit data...
cred.c Loading commit data...
delayacct.c Loading commit data...
dma.c Loading commit data...
elfcore.c Loading commit data...
exec_domain.c Loading commit data...
exit.c Loading commit data...
extable.c Loading commit data...
fail_function.c Loading commit data...
fork.c Loading commit data...
freezer.c Loading commit data...
futex.c Loading commit data...
gen_kheaders.sh Loading commit data...
groups.c Loading commit data...
hung_task.c Loading commit data...
iomem.c Loading commit data...
irq_work.c Loading commit data...
jump_label.c Loading commit data...
kallsyms.c Loading commit data...
kcmp.c Loading commit data...
kcov.c Loading commit data...
kexec.c Loading commit data...
kexec_core.c Loading commit data...
kexec_file.c Loading commit data...
kexec_internal.h Loading commit data...
kheaders.c Loading commit data...
kmod.c Loading commit data...
kprobes.c Loading commit data...
ksysfs.c Loading commit data...
kthread.c Loading commit data...
latencytop.c Loading commit data...
memremap.c Loading commit data...
module-internal.h Loading commit data...
module.c Loading commit data...
module_signing.c Loading commit data...
notifier.c Loading commit data...
nsproxy.c Loading commit data...
padata.c Loading commit data...
panic.c Loading commit data...
params.c Loading commit data...
pid.c Loading commit data...
pid_namespace.c Loading commit data...
profile.c Loading commit data...
ptrace.c Loading commit data...
range.c Loading commit data...
reboot.c Loading commit data...
relay.c Loading commit data...
resource.c Loading commit data...
rseq.c Loading commit data...
seccomp.c Loading commit data...
signal.c Loading commit data...
smp.c Loading commit data...
smpboot.c Loading commit data...
smpboot.h Loading commit data...
softirq.c Loading commit data...
stackleak.c Loading commit data...
stacktrace.c Loading commit data...
stop_machine.c Loading commit data...
sys.c Loading commit data...
sys_ni.c Loading commit data...
sysctl.c Loading commit data...
sysctl_binary.c Loading commit data...
task_work.c Loading commit data...
taskstats.c Loading commit data...
test_kprobes.c Loading commit data...
torture.c Loading commit data...
tracepoint.c Loading commit data...
tsacct.c Loading commit data...
ucount.c Loading commit data...
uid16.c Loading commit data...
uid16.h Loading commit data...
umh.c Loading commit data...
up.c Loading commit data...
user-return-notifier.c Loading commit data...
user.c Loading commit data...
user_namespace.c Loading commit data...
utsname.c Loading commit data...
utsname_sysctl.c Loading commit data...
watchdog.c Loading commit data...
watchdog_hld.c Loading commit data...
workqueue.c Loading commit data...
workqueue_internal.h Loading commit data...