[thirdparty/kernel/stable-queue.git] / releases / 4.4.172 / yama-check-for-pid-death-before-checking-ancestry.patch

From 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Wed, 16 Jan 2019 10:31:09 -0800
Subject: Yama: Check for pid death before checking ancestry

From: Kees Cook <keescook@chromium.org>

commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream.

It's possible that a pid has died before we take the rcu lock, in which
case we can't walk the ancestry list as it may be detached. Instead, check
for death first before doing the walk.

Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
Fixes: 2d514487faf1 ("security: Yama LSM")
Cc: stable@vger.kernel.org
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/yama/yama_lsm.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -288,7 +288,9 @@ static int yama_ptrace_access_check(stru
 			break;
 		case YAMA_SCOPE_RELATIONAL:
 			rcu_read_lock();
-			if (!task_is_descendant(current, child) &&
+			if (!pid_alive(child))
+				rc = -EPERM;
+			if (!rc && !task_is_descendant(current, child) &&
 			    !ptracer_exception_found(current, child) &&
 			    !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
 				rc = -EPERM;
Commit	Line	Data
742fedfb GKH	1	From 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 Mon Sep 17 00:00:00 2001
	2	From: Kees Cook <keescook@chromium.org>
	3	Date: Wed, 16 Jan 2019 10:31:09 -0800
	4	Subject: Yama: Check for pid death before checking ancestry
	5
	6	From: Kees Cook <keescook@chromium.org>
	7
	8	commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream.
	9
	10	It's possible that a pid has died before we take the rcu lock, in which
	11	case we can't walk the ancestry list as it may be detached. Instead, check
	12	for death first before doing the walk.
	13
	14	Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
	15	Fixes: 2d514487faf1 ("security: Yama LSM")
	16	Cc: stable@vger.kernel.org
	17	Suggested-by: Oleg Nesterov <oleg@redhat.com>
	18	Signed-off-by: Kees Cook <keescook@chromium.org>
	19	Signed-off-by: James Morris <james.morris@microsoft.com>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	security/yama/yama_lsm.c \| 4 +++-
	24	1 file changed, 3 insertions(+), 1 deletion(-)
	25
	26	--- a/security/yama/yama_lsm.c
	27	+++ b/security/yama/yama_lsm.c
	28	@@ -288,7 +288,9 @@ static int yama_ptrace_access_check(stru
	29	break;
	30	case YAMA_SCOPE_RELATIONAL:
	31	rcu_read_lock();
	32	- if (!task_is_descendant(current, child) &&
	33	+ if (!pid_alive(child))
	34	+ rc = -EPERM;
	35	+ if (!rc && !task_is_descendant(current, child) &&
	36	!ptracer_exception_found(current, child) &&
	37	!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
	38	rc = -EPERM;