ptrace: restore smp_rmb() in __ptrace_may_access()

Restore the read memory barrier in __ptrace_may_access() that was deleted a couple years ago. Also add comments on this barrier and the one it pairs with to explain why they're there (as far as I understand). Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks") Cc: stable@vger.kernel.org Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
author: Jann Horn <jannh@google.com> 2019-05-29 07:31:57 -0400
committer: Eric W. Biederman <ebiederm@xmission.com> 2019-06-11 16:08:28 -0400
commit: f6581f5b55141a95657ef5742cf6a6bfa20a109f (patch)
tree: a0ccd00874d67118ab48624da6ecb633da8c6536 /kernel/ptrace.c
parent: f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 02c6528ead5c..c9b4646ad375 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -323,6 +323,16 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
        return -EPERM;
 ok:
        rcu_read_unlock();
+        /*
+         * If a task drops privileges and becomes nondumpable (through a syscall
+         * like setresuid()) while we are trying to access it, we must ensure
+         * that the dumpability is read after the credentials; otherwise,
+         * we may be able to attach to a task that we shouldn't be able to
+         * attach to (as if the task had dropped privileges without becoming
+         * nondumpable).
+         * Pairs with a write barrier in commit_creds().
+         */
+        smp_rmb();
        mm = task->mm;
        if (mm &&
            ((get_dumpable(mm) != SUID_DUMP_USER) &&
author	Jann Horn <jannh@google.com>	2019-05-29 07:31:57 -0400
committer	Eric W. Biederman <ebiederm@xmission.com>	2019-06-11 16:08:28 -0400
commit	f6581f5b55141a95657ef5742cf6a6bfa20a109f (patch)
tree	a0ccd00874d67118ab48624da6ecb633da8c6536 /kernel/ptrace.c
parent	f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 (diff)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 02c6528ead5c..c9b4646ad375 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c
@@ -323,6 +323,16 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
323	return -EPERM;	323	return -EPERM;
324	ok:	324	ok:
325	rcu_read_unlock();	325	rcu_read_unlock();
		326	/*
		327	* If a task drops privileges and becomes nondumpable (through a syscall
		328	* like setresuid()) while we are trying to access it, we must ensure
		329	* that the dumpability is read after the credentials; otherwise,
		330	* we may be able to attach to a task that we shouldn't be able to
		331	* attach to (as if the task had dropped privileges without becoming
		332	* nondumpable).
		333	* Pairs with a write barrier in commit_creds().
		334	*/
		335	smp_rmb();
326	mm = task->mm;	336	mm = task->mm;
327	if (mm &&	337	if (mm &&
328	((get_dumpable(mm) != SUID_DUMP_USER) &&	338	((get_dumpable(mm) != SUID_DUMP_USER) &&