Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull ptrace fixes from Eric Biederman: "This is just two very minor fixes: - prevent ptrace from reading unitialized kernel memory found twice by syzkaller - restore a missing smp_rmb in ptrace_may_access and add comment tp it so it is not removed by accident again. Apologies for being a little slow about getting this to you, I am still figuring out how to develop with a little baby in the house" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: ptrace: restore smp_rmb() in __ptrace_may_access() signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
author: Linus Torvalds <torvalds@linux-foundation.org> 2019-06-11 21:44:45 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2019-06-11 21:44:45 -0400
commit: aa7235483a838be79b7c22a86b0dc4cb12ee5dd6 (patch)
tree: d89a5978232e8dfaf47953a1b7d9ce7599b892b0 /kernel/ptrace.c
parent: 4d8f5f91b8a608980b173ef3382913c7405f82c3 (diff)
parent: f6581f5b55141a95657ef5742cf6a6bfa20a109f (diff)
1 files changed, 18 insertions, 2 deletions
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 5710d07e67cf..8456b6e2205f 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -324,6 +324,16 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
        return -EPERM;
 ok:
        rcu_read_unlock();
+        /*
+         * If a task drops privileges and becomes nondumpable (through a syscall
+         * like setresuid()) while we are trying to access it, we must ensure
+         * that the dumpability is read after the credentials; otherwise,
+         * we may be able to attach to a task that we shouldn't be able to
+         * attach to (as if the task had dropped privileges without becoming
+         * nondumpable).
+         * Pairs with a write barrier in commit_creds().
+         */
+        smp_rmb();
        mm = task->mm;
        if (mm &&
            ((get_dumpable(mm) != SUID_DUMP_USER) &&
@@ -705,6 +715,10 @@ static int ptrace_peek_siginfo(struct task_struct *child,
        if (arg.nr < 0)
                return -EINVAL;
+        /* Ensure arg.off fits in an unsigned long */
+        if (arg.off > ULONG_MAX)
+                return 0;
        if (arg.flags & PTRACE_PEEKSIGINFO_SHARED)
                pending = &child->signal->shared_pending;
        else
@@ -712,18 +726,20 @@ static int ptrace_peek_siginfo(struct task_struct *child,
        for (i = 0; i < arg.nr; ) {
                kernel_siginfo_t info;
-                s32 off = arg.off + i;
+                unsigned long off = arg.off + i;
+                bool found = false;
                spin_lock_irq(&child->sighand->siglock);
                list_for_each_entry(q, &pending->list, list) {
                        if (!off--) {
+                                found = true;
                                copy_siginfo(&info, &q->info);
                                break;
                        }
                }
                spin_unlock_irq(&child->sighand->siglock);
-                if (off >= 0) /* beyond the end of the list */
+                if (!found) /* beyond the end of the list */
                        break;
 #ifdef CONFIG_COMPAT
author	Linus Torvalds <torvalds@linux-foundation.org>	2019-06-11 21:44:45 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2019-06-11 21:44:45 -0400
commit	aa7235483a838be79b7c22a86b0dc4cb12ee5dd6 (patch)
tree	d89a5978232e8dfaf47953a1b7d9ce7599b892b0 /kernel/ptrace.c
parent	4d8f5f91b8a608980b173ef3382913c7405f82c3 (diff)
parent	f6581f5b55141a95657ef5742cf6a6bfa20a109f (diff)