--- /dev/null
+From 73af963f9f3036dffed55c3a2898598186db1045 Mon Sep 17 00:00:00 2001
+From: Mark Grondona <mgrondona@llnl.gov>
+Date: Wed, 11 Sep 2013 14:24:31 -0700
+Subject: __ptrace_may_access() should not deny sub-threads
+
+From: Mark Grondona <mgrondona@llnl.gov>
+
+commit 73af963f9f3036dffed55c3a2898598186db1045 upstream.
+
+__ptrace_may_access() checks get_dumpable/ptrace_has_cap/etc if task !=
+current, this can can lead to surprising results.
+
+For example, a sub-thread can't readlink("/proc/self/exe") if the
+executable is not readable. setup_new_exec()->would_dump() notices that
+inode_permission(MAY_READ) fails and then it does
+set_dumpable(suid_dumpable). After that get_dumpable() fails.
+
+(It is not clear why proc_pid_readlink() checks get_dumpable(), perhaps we
+could add PTRACE_MODE_NODUMPABLE)
+
+Change __ptrace_may_access() to use same_thread_group() instead of "task
+== current". Any security check is pointless when the tasks share the
+same ->mm.
+
+Signed-off-by: Mark Grondona <mgrondona@llnl.gov>
+Signed-off-by: Ben Woodard <woodard@redhat.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -236,7 +236,7 @@ static int __ptrace_may_access(struct ta
+ */
+ int dumpable = 0;
+ /* Don't let security modules deny introspection */
+- if (task == current)
++ if (same_thread_group(task, current))
+ return 0;
+ rcu_read_lock();
+ tcred = __task_cred(task);
--- /dev/null
+From e1403b8edf669ff49bbdf602cc97fefa2760cb15 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Wed, 11 Sep 2013 14:20:06 -0700
+Subject: include/linux/sched.h: don't use task->pid/tgid in
+ same_thread_group/has_group_leader_pid
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit e1403b8edf669ff49bbdf602cc97fefa2760cb15 upstream.
+
+task_struct->pid/tgid should go away.
+
+1. Change same_thread_group() to use task->signal for comparison.
+
+2. Change has_group_leader_pid(task) to compare task_pid(task) with
+ signal->leader_pid.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Michal Hocko <mhocko@suse.cz>
+Cc: Sergey Dyasly <dserrg@gmail.com>
+Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/sched.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -2203,15 +2203,15 @@ static inline bool thread_group_leader(s
+ * all we care about is that we have a task with the appropriate
+ * pid, we don't actually care if we have the right task.
+ */
+-static inline int has_group_leader_pid(struct task_struct *p)
++static inline bool has_group_leader_pid(struct task_struct *p)
+ {
+- return p->pid == p->tgid;
++ return task_pid(p) == p->signal->leader_pid;
+ }
+
+ static inline
+-int same_thread_group(struct task_struct *p1, struct task_struct *p2)
++bool same_thread_group(struct task_struct *p1, struct task_struct *p2)
+ {
+- return p1->tgid == p2->tgid;
++ return p1->signal == p2->signal;
+ }
+
+ static inline struct task_struct *next_thread(const struct task_struct *p)
projects / thirdparty / kernel / stable-queue.git / commitdiff
