releases/4.9.183/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch

   1 From f6581f5b55141a95657ef5742cf6a6bfa20a109f Mon Sep 17 00:00:00 2001
   2 From: Jann Horn <jannh@google.com>
   3 Date: Wed, 29 May 2019 13:31:57 +0200
   4 Subject: ptrace: restore smp_rmb() in __ptrace_may_access()
   5
   6 From: Jann Horn <jannh@google.com>
   7
   8 commit f6581f5b55141a95657ef5742cf6a6bfa20a109f upstream.
   9
  10 Restore the read memory barrier in __ptrace_may_access() that was deleted
  11 a couple years ago. Also add comments on this barrier and the one it pairs
  12 with to explain why they're there (as far as I understand).
  13
  14 Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks")
  15 Cc: stable@vger.kernel.org
  16 Acked-by: Kees Cook <keescook@chromium.org>
  17 Acked-by: Oleg Nesterov <oleg@redhat.com>
  18 Signed-off-by: Jann Horn <jannh@google.com>
  19 Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
  20 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21
  22 ---
  23  kernel/cred.c   |    9 +++++++++
  24  kernel/ptrace.c |   10 ++++++++++
  25  2 files changed, 19 insertions(+)
  26
  27 --- a/kernel/cred.c
  28 +++ b/kernel/cred.c
  29 @@ -447,6 +447,15 @@ int commit_creds(struct cred *new)
  30                 if (task->mm)
  31                         set_dumpable(task->mm, suid_dumpable);
  32                 task->pdeath_signal = 0;
  33 +               /*
  34 +                * If a task drops privileges and becomes nondumpable,
  35 +                * the dumpability change must become visible before
  36 +                * the credential change; otherwise, a __ptrace_may_access()
  37 +                * racing with this change may be able to attach to a task it
  38 +                * shouldn't be able to attach to (as if the task had dropped
  39 +                * privileges without becoming nondumpable).
  40 +                * Pairs with a read barrier in __ptrace_may_access().
  41 +                */
  42                 smp_wmb();
  43         }
  44
  45 --- a/kernel/ptrace.c
  46 +++ b/kernel/ptrace.c
  47 @@ -322,6 +322,16 @@ static int __ptrace_may_access(struct ta
  48         return -EPERM;
  49  ok:
  50         rcu_read_unlock();
  51 +       /*
  52 +        * If a task drops privileges and becomes nondumpable (through a syscall
  53 +        * like setresuid()) while we are trying to access it, we must ensure
  54 +        * that the dumpability is read after the credentials; otherwise,
  55 +        * we may be able to attach to a task that we shouldn't be able to
  56 +        * attach to (as if the task had dropped privileges without becoming
  57 +        * nondumpable).
  58 +        * Pairs with a write barrier in commit_creds().
  59 +        */
  60 +       smp_rmb();
  61         mm = task->mm;
  62         if (mm &&
  63             ((get_dumpable(mm) != SUID_DUMP_USER) &&