diff options
| -rw-r--r-- | kernel/futex.c | 36 | ||||
| -rw-r--r-- | kernel/futex_compat.c | 36 |
2 files changed, 26 insertions, 46 deletions
diff --git a/kernel/futex.c b/kernel/futex.c index 72efa1e4359a..d701be57c423 100644 --- a/kernel/futex.c +++ b/kernel/futex.c | |||
| @@ -59,6 +59,7 @@ | |||
| 59 | #include <linux/magic.h> | 59 | #include <linux/magic.h> |
| 60 | #include <linux/pid.h> | 60 | #include <linux/pid.h> |
| 61 | #include <linux/nsproxy.h> | 61 | #include <linux/nsproxy.h> |
| 62 | #include <linux/ptrace.h> | ||
| 62 | 63 | ||
| 63 | #include <asm/futex.h> | 64 | #include <asm/futex.h> |
| 64 | 65 | ||
| @@ -2443,40 +2444,29 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, | |||
| 2443 | { | 2444 | { |
| 2444 | struct robust_list_head __user *head; | 2445 | struct robust_list_head __user *head; |
| 2445 | unsigned long ret; | 2446 | unsigned long ret; |
| 2446 | const struct cred *cred = current_cred(), *pcred; | 2447 | struct task_struct *p; |
| 2447 | 2448 | ||
| 2448 | if (!futex_cmpxchg_enabled) | 2449 | if (!futex_cmpxchg_enabled) |
| 2449 | return -ENOSYS; | 2450 | return -ENOSYS; |
| 2450 | 2451 | ||
| 2452 | rcu_read_lock(); | ||
| 2453 | |||
| 2454 | ret = -ESRCH; | ||
| 2451 | if (!pid) | 2455 | if (!pid) |
| 2452 | head = current->robust_list; | 2456 | p = current; |
| 2453 | else { | 2457 | else { |
| 2454 | struct task_struct *p; | ||
| 2455 | |||
| 2456 | ret = -ESRCH; | ||
| 2457 | rcu_read_lock(); | ||
| 2458 | p = find_task_by_vpid(pid); | 2458 | p = find_task_by_vpid(pid); |
| 2459 | if (!p) | 2459 | if (!p) |
| 2460 | goto err_unlock; | 2460 | goto err_unlock; |
| 2461 | ret = -EPERM; | ||
| 2462 | pcred = __task_cred(p); | ||
| 2463 | /* If victim is in different user_ns, then uids are not | ||
| 2464 | comparable, so we must have CAP_SYS_PTRACE */ | ||
| 2465 | if (cred->user->user_ns != pcred->user->user_ns) { | ||
| 2466 | if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE)) | ||
| 2467 | goto err_unlock; | ||
| 2468 | goto ok; | ||
| 2469 | } | ||
| 2470 | /* If victim is in same user_ns, then uids are comparable */ | ||
| 2471 | if (cred->euid != pcred->euid && | ||
| 2472 | cred->euid != pcred->uid && | ||
| 2473 | !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE)) | ||
| 2474 | goto err_unlock; | ||
| 2475 | ok: | ||
| 2476 | head = p->robust_list; | ||
| 2477 | rcu_read_unlock(); | ||
| 2478 | } | 2461 | } |
| 2479 | 2462 | ||
| 2463 | ret = -EPERM; | ||
| 2464 | if (!ptrace_may_access(p, PTRACE_MODE_READ)) | ||
| 2465 | goto err_unlock; | ||
| 2466 | |||
| 2467 | head = p->robust_list; | ||
| 2468 | rcu_read_unlock(); | ||
| 2469 | |||
| 2480 | if (put_user(sizeof(*head), len_ptr)) | 2470 | if (put_user(sizeof(*head), len_ptr)) |
| 2481 | return -EFAULT; | 2471 | return -EFAULT; |
| 2482 | return put_user(head, head_ptr); | 2472 | return put_user(head, head_ptr); |
diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c index 5f9e689dc8f0..a9642d528630 100644 --- a/kernel/futex_compat.c +++ b/kernel/futex_compat.c | |||
| @@ -10,6 +10,7 @@ | |||
| 10 | #include <linux/compat.h> | 10 | #include <linux/compat.h> |
| 11 | #include <linux/nsproxy.h> | 11 | #include <linux/nsproxy.h> |
| 12 | #include <linux/futex.h> | 12 | #include <linux/futex.h> |
| 13 | #include <linux/ptrace.h> | ||
| 13 | 14 | ||
| 14 | #include <asm/uaccess.h> | 15 | #include <asm/uaccess.h> |
| 15 | 16 | ||
| @@ -136,40 +137,29 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr, | |||
| 136 | { | 137 | { |
| 137 | struct compat_robust_list_head __user *head; | 138 | struct compat_robust_list_head __user *head; |
| 138 | unsigned long ret; | 139 | unsigned long ret; |
| 139 | const struct cred *cred = current_cred(), *pcred; | 140 | struct task_struct *p; |
| 140 | 141 | ||
| 141 | if (!futex_cmpxchg_enabled) | 142 | if (!futex_cmpxchg_enabled) |
| 142 | return -ENOSYS; | 143 | return -ENOSYS; |
| 143 | 144 | ||
| 145 | rcu_read_lock(); | ||
| 146 | |||
| 147 | ret = -ESRCH; | ||
| 144 | if (!pid) | 148 | if (!pid) |
| 145 | head = current->compat_robust_list; | 149 | p = current; |
| 146 | else { | 150 | else { |
| 147 | struct task_struct *p; | ||
| 148 | |||
| 149 | ret = -ESRCH; | ||
| 150 | rcu_read_lock(); | ||
| 151 | p = find_task_by_vpid(pid); | 151 | p = find_task_by_vpid(pid); |
| 152 | if (!p) | 152 | if (!p) |
| 153 | goto err_unlock; | 153 | goto err_unlock; |
| 154 | ret = -EPERM; | ||
| 155 | pcred = __task_cred(p); | ||
| 156 | /* If victim is in different user_ns, then uids are not | ||
| 157 | comparable, so we must have CAP_SYS_PTRACE */ | ||
| 158 | if (cred->user->user_ns != pcred->user->user_ns) { | ||
| 159 | if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE)) | ||
| 160 | goto err_unlock; | ||
| 161 | goto ok; | ||
| 162 | } | ||
| 163 | /* If victim is in same user_ns, then uids are comparable */ | ||
| 164 | if (cred->euid != pcred->euid && | ||
| 165 | cred->euid != pcred->uid && | ||
| 166 | !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE)) | ||
| 167 | goto err_unlock; | ||
| 168 | ok: | ||
| 169 | head = p->compat_robust_list; | ||
| 170 | rcu_read_unlock(); | ||
| 171 | } | 154 | } |
| 172 | 155 | ||
| 156 | ret = -EPERM; | ||
| 157 | if (!ptrace_may_access(p, PTRACE_MODE_READ)) | ||
| 158 | goto err_unlock; | ||
| 159 | |||
| 160 | head = p->compat_robust_list; | ||
| 161 | rcu_read_unlock(); | ||
| 162 | |||
| 173 | if (put_user(sizeof(*head), len_ptr)) | 163 | if (put_user(sizeof(*head), len_ptr)) |
| 174 | return -EFAULT; | 164 | return -EFAULT; |
| 175 | return put_user(ptr_to_compat(head), head_ptr); | 165 | return put_user(ptr_to_compat(head), head_ptr); |