[thirdparty/kernel/stable-queue.git] / releases / 4.19.53 / ptrace-restore-smp_rmb-in-__ptrace_may_access.patch

From f6581f5b55141a95657ef5742cf6a6bfa20a109f Mon Sep 17 00:00:00 2001
From: Jann Horn <jannh@google.com>
Date: Wed, 29 May 2019 13:31:57 +0200
Subject: ptrace: restore smp_rmb() in __ptrace_may_access()

From: Jann Horn <jannh@google.com>

commit f6581f5b55141a95657ef5742cf6a6bfa20a109f upstream.

Restore the read memory barrier in __ptrace_may_access() that was deleted
a couple years ago. Also add comments on this barrier and the one it pairs
with to explain why they're there (as far as I understand).

Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks")
Cc: stable@vger.kernel.org
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cred.c   |    9 +++++++++
 kernel/ptrace.c |   10 ++++++++++
 2 files changed, 19 insertions(+)

--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -448,6 +448,15 @@ int commit_creds(struct cred *new)
 		if (task->mm)
 			set_dumpable(task->mm, suid_dumpable);
 		task->pdeath_signal = 0;
+		/*
+		 * If a task drops privileges and becomes nondumpable,
+		 * the dumpability change must become visible before
+		 * the credential change; otherwise, a __ptrace_may_access()
+		 * racing with this change may be able to attach to a task it
+		 * shouldn't be able to attach to (as if the task had dropped
+		 * privileges without becoming nondumpable).
+		 * Pairs with a read barrier in __ptrace_may_access().
+		 */
 		smp_wmb();
 	}
 
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -323,6 +323,16 @@ static int __ptrace_may_access(struct ta
 	return -EPERM;
 ok:
 	rcu_read_unlock();
+	/*
+	 * If a task drops privileges and becomes nondumpable (through a syscall
+	 * like setresuid()) while we are trying to access it, we must ensure
+	 * that the dumpability is read after the credentials; otherwise,
+	 * we may be able to attach to a task that we shouldn't be able to
+	 * attach to (as if the task had dropped privileges without becoming
+	 * nondumpable).
+	 * Pairs with a write barrier in commit_creds().
+	 */
+	smp_rmb();
 	mm = task->mm;
 	if (mm &&
 	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
Commit	Line	Data
80ae7e1e GKH	1	From f6581f5b55141a95657ef5742cf6a6bfa20a109f Mon Sep 17 00:00:00 2001
	2	From: Jann Horn <jannh@google.com>
	3	Date: Wed, 29 May 2019 13:31:57 +0200
	4	Subject: ptrace: restore smp_rmb() in __ptrace_may_access()
	5
	6	From: Jann Horn <jannh@google.com>
	7
	8	commit f6581f5b55141a95657ef5742cf6a6bfa20a109f upstream.
	9
	10	Restore the read memory barrier in __ptrace_may_access() that was deleted
	11	a couple years ago. Also add comments on this barrier and the one it pairs
	12	with to explain why they're there (as far as I understand).
	13
	14	Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks")
	15	Cc: stable@vger.kernel.org
	16	Acked-by: Kees Cook <keescook@chromium.org>
	17	Acked-by: Oleg Nesterov <oleg@redhat.com>
	18	Signed-off-by: Jann Horn <jannh@google.com>
	19	Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	kernel/cred.c \| 9 +++++++++
	24	kernel/ptrace.c \| 10 ++++++++++
	25	2 files changed, 19 insertions(+)
	26
	27	--- a/kernel/cred.c
	28	+++ b/kernel/cred.c
	29	@@ -448,6 +448,15 @@ int commit_creds(struct cred *new)
	30	if (task->mm)
	31	set_dumpable(task->mm, suid_dumpable);
	32	task->pdeath_signal = 0;
	33	+ /*
	34	+ * If a task drops privileges and becomes nondumpable,
	35	+ * the dumpability change must become visible before
	36	+ * the credential change; otherwise, a __ptrace_may_access()
	37	+ * racing with this change may be able to attach to a task it
	38	+ * shouldn't be able to attach to (as if the task had dropped
	39	+ * privileges without becoming nondumpable).
	40	+ * Pairs with a read barrier in __ptrace_may_access().
	41	+ */
	42	smp_wmb();
	43	}
	44
	45	--- a/kernel/ptrace.c
	46	+++ b/kernel/ptrace.c
	47	@@ -323,6 +323,16 @@ static int __ptrace_may_access(struct ta
	48	return -EPERM;
	49	ok:
	50	rcu_read_unlock();
	51	+ /*
	52	+ * If a task drops privileges and becomes nondumpable (through a syscall
	53	+ * like setresuid()) while we are trying to access it, we must ensure
	54	+ * that the dumpability is read after the credentials; otherwise,
	55	+ * we may be able to attach to a task that we shouldn't be able to
	56	+ * attach to (as if the task had dropped privileges without becoming
	57	+ * nondumpable).
	58	+ * Pairs with a write barrier in commit_creds().
	59	+ */
	60	+ smp_rmb();
	61	mm = task->mm;
	62	if (mm &&
	63	((get_dumpable(mm) != SUID_DUMP_USER) &&