git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Jann Horn <jannh@google.com>
	Mon, 18 May 2026 16:35:16 +0000 (18:35 +0200)
committer	Christian Brauner <brauner@kernel.org>
	Fri, 5 Jun 2026 08:00:55 +0000 (10:00 +0200)
commit	6255da28d4bb5349fe18e84cb043ccd394eba75d
tree	03a43424fca41ffbb0e2b304be927aad8089727c	tree \| snapshot
parent	6650527444dadc63d84aa939d14ecba4fadb2f69	commit \| diff

proc: protect ptrace_may_access() with exec_update_lock (FD links)

proc_pid_get_link() and proc_pid_readlink() currently look up the task from
the pid once, then do the ptrace access check on that task, then look up
the task from the pid a second time to do the actual access.
That's racy in several ways.

To fix it, pass the task to the ->proc_get_link() handler, and instead of
proc_fd_access_allowed(), introduce a new helper call_proc_get_link() that
looks up and locks the task, does the access check, and calls
->proc_get_link().

Fixes: 778c1144771f ("[PATCH] proc: Use sane permission checks on the /proc/<pid>/fd/ symlinks")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260518-procfs-lockfix-part1-v1-2-5c3d20e0ac33@google.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

fs/proc/base.c		diff \| blob \| blame \| history
fs/proc/fd.c		diff \| blob \| blame \| history
fs/proc/internal.h		diff \| blob \| blame \| history