Jann Horn 49d451da2f ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME ...

commit 6994eefb00 upstream.

Fix two issues:

When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
reference to the parent's objective credentials, then give that pointer
to get_cred().  However, the object lifetime rules for things like
struct cred do not permit unconditionally turning an RCU reference into
a stable reference.

PTRACE_TRACEME records the parent's credentials as if the parent was
acting as the subject, but that's not the case.  If a malicious
unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
at a later point, the parent process becomes attacker-controlled
(because it drops privileges and calls execve()), the attacker ends up
with control over two processes with a privileged ptrace relationship,
which can be abused to ptrace a suid binary and obtain root privileges.

Fix both of these by always recording the credentials of the process
that is requesting the creation of the ptrace relationship:
current_cred() can't change under us, and current is the proper subject
for access control.

This change is theoretically userspace-visible, but I am not aware of
any code that it will actually break.

Fixes: 64b875f7ac ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2023-05-15 13:57:11 +09:00

..

bpf

bpf: convert htab map to hlist_nulls

2023-05-15 12:49:02 +09:00

configs

ANDROID: add script to fetch android kernel config fragments

2017-10-03 17:19:26 +00:00

debug

kdb: use memmove instead of overlapping memcpy

2023-05-15 10:05:47 +09:00

events

perf/ring_buffer: Add ordering to rb->nest increment

2023-05-15 13:49:50 +09:00

gcov

gcov: support GCC 7.1

2017-09-02 07:07:53 +02:00

irq

genirq: Prevent use-after-free and work list corruption

2023-05-15 12:39:52 +09:00

livepatch

livepatch/module: make TAINT_LIVEPATCH module-specific

2016-08-26 14:42:08 +02:00

locking

locking/rwsem: Prevent decrement of reader count before increment

2023-05-15 12:50:55 +09:00

power

x86/power: Fix 'nosmt' vs hibernation triple fault during resume

2023-05-15 13:40:59 +09:00

printk

printk: Fix panic caused by passing log_buf_len to command line

2023-05-15 09:22:52 +09:00

rcu

rcuperf: Fix cleanup path for invalid perf_type strings

2023-05-15 13:36:07 +09:00

sched

sched/core: Handle overflow in cpu_shares_write_u64

2023-05-15 13:34:43 +09:00

time

ntp: Allow TAI-UTC offset to be set to zero

2023-05-15 13:47:36 +09:00

trace

tracing: Silence GCC 9 array bounds warning

2023-05-15 13:54:34 +09:00

.gitignore

certs: add .gitignore to stop git nagging about x509_certificate_list

2015-10-21 15:18:35 +01:00

acct.c

kernel/acct.c: fix the acct->needcheck check in check_free_space()

2018-01-10 09:29:51 +01:00

async.c

kernel/async.c: revert "async: simplify lowest_in_progress()"

2018-02-17 13:21:18 +01:00

audit_fsnotify.c

wrappers for ->i_mutex access

2016-01-22 18:04:28 -05:00

audit_tree.c

audit: cleanup prune_tree_thread

2016-04-04 09:46:47 -04:00

audit_watch.c

audit: fix use-after-free in audit_add_watch

2023-05-15 08:20:49 +09:00

audit.c

audit: return on memory error to avoid null pointer dereference

2018-05-30 07:50:49 +02:00

audit.h

Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit

2016-07-29 17:54:17 -07:00

auditfilter.c

audit: fix a memory leak bug

2023-05-15 13:34:34 +09:00

auditsc.c

audit: allow not equal op for audit by executable

2023-05-12 16:43:50 +09:00

backtracetest.c

…

bounds.c

kbuild: fix kernel/bounds.c 'W=1' warning

2023-05-15 09:22:43 +09:00

capability.c

ptrace: Capture the ptracer's creds not PT_PTRACE_CAP

2017-01-06 10:40:13 +01:00

cfi.c

cfi: print target address on failure

2018-05-01 16:49:34 +00:00

cgroup_freezer.c

cgroup: kill cgrp_ss_priv[CGROUP_CANFORK_COUNT] and friends

2015-12-03 10:24:08 -05:00

cgroup_pids.c

cgroup/pids: remove spurious suspicious RCU usage warning

2017-03-26 13:05:58 +02:00

cgroup.c

cgroup: Fix deadlock in cpu hotplug path

2023-05-15 08:56:19 +09:00

compat.c

19af5c5 dtv_demod: add AGC control for board t309 [1/1]

2019-05-06 21:14:10 +08:00

configs.c

…

context_tracking.c

context_tracking: Switch to new static_branch API

2015-11-24 09:56:43 +01:00

cpu_pm.c

kernel/cpu_pm: fix cpu_cluster_pm_exit comment

2015-09-03 02:42:20 +02:00

cpu.c

cpu/speculation: Warn on unsupported mitigations= parameter

2023-05-15 13:56:08 +09:00

cpuset.c

Merge 4.9.55 into android-4.9

2017-10-12 22:31:24 +02:00

crash_dump.c

…

cred.c

ptrace: restore smp_rmb() in __ptrace_may_access()

2023-05-15 13:48:43 +09:00

delayacct.c

kmemcg: account certain kmem allocations to memcg

2016-01-14 16:00:49 -08:00

dma.c

…

elfcore.c

…

exec_domain.c

Remove rest of exec domains.

2015-04-12 21:03:31 +02:00

exit.c

kernel/exit.c: release ptraced tasks before zap_pid_ns_processes

2023-05-15 11:16:37 +09:00

extable.c

kernel/extable.c: mark core_kernel_text notrace

2017-07-21 07:42:21 +02:00

fork.c

fork: record start_time late

2023-05-15 10:54:38 +09:00

freezer.c

freezer, oom: check TIF_MEMDIE on the correct task

2016-07-28 16:07:41 -07:00

futex_compat.c

ptrace: use fsuid, fsgid, effective creds for fs access checks

2016-01-20 17:09:18 -08:00

futex.c

futex: Ensure that futex address is aligned in handle_futex_death()

2023-05-15 12:06:55 +09:00

groups.c

kernel: make groups_sort calling a responsibility group_info allocators

2018-01-10 09:29:52 +01:00

hung_task.c

kernel: hung_task.c: disable on suspend

2023-05-15 12:23:14 +09:00

irq_work.c

treewide: Remove old email address

2015-11-23 09:44:58 +01:00

jump_label.c

jump_label: Invoke jump_label_test() via early_initcall()

2017-12-14 09:28:24 +01:00

kallsyms.c

rodata: optimize memory usage of rodata section [4/5]

2023-04-21 13:52:34 +09:00

kcmp.c

ptrace: use fsuid, fsgid, effective creds for fs access checks

2016-01-20 17:09:18 -08:00

Kconfig.freezer

…

Kconfig.hz

…

Kconfig.locks

locking/qrwlock: Rename QUEUE_RWLOCK to QUEUED_RWLOCKS

2015-05-12 09:46:00 +02:00

Kconfig.preempt

…

kcov.c

kcov: ensure irq code sees a valid area

2023-05-12 16:39:07 +09:00

kexec_core.c

objtool, x86: Add several functions and files to the objtool whitelist

2018-06-05 10:28:57 +02:00

kexec_file.c

kexec: fix double-free when failing to relocate the purgatory

2016-09-01 17:52:01 -07:00

kexec_internal.h

kexec: move some memembers and definitions within the scope of CONFIG_KEXEC_FILE

2016-01-20 17:09:18 -08:00

kexec.c

kexec: allow architectures to override boot mapping

2016-08-02 19:35:27 -04:00

kmod.c

kmod: don't run async usermode helper as a child of kworker thread

2015-10-23 17:55:10 +09:00

kprobes.c

kprobes: Fix error check when reusing optimized probes

2023-05-15 12:27:55 +09:00

ksysfs.c

kexec: add a kexec_crash_loaded() function

2016-08-02 19:35:30 -04:00

kthread.c

kthread, tracing: Don't expose half-written comm when creating kthreads

2023-05-12 16:38:55 +09:00

latencytop.c

sched/debug: Make schedstats a runtime tunable that is disabled by default

2016-02-09 11:54:23 +01:00

Makefile

x86/uaccess, kcov: Disable stack protector

2023-05-15 13:48:54 +09:00

membarrier.c

Fix: Disable sys_membarrier when nohz_full is enabled

2017-03-12 06:41:45 +01:00

memremap.c

mm, devm_memremap_pages: kill mapping "System RAM" support

2023-05-15 10:54:41 +09:00

module_signing.c

KEYS: Move the point of trust determination to __key_link()

2016-04-11 22:43:43 +01:00

module-internal.h

…

module.c

module: exclude SHN_UNDEF symbols from kallsyms api

2023-05-15 08:29:17 +09:00

notifier.c

Merge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

2015-09-01 08:40:25 -07:00

nsproxy.c

cgroup: introduce cgroup namespaces

2016-02-16 13:04:58 -05:00

padata.c

padata: free correct variable

2017-05-20 14:28:40 +02:00

panic.c

panic: avoid deadlocks in re-entrant console drivers

2023-05-15 10:45:36 +09:00

params.c

Merge tag 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

2015-11-09 15:53:39 -08:00

pid_namespace.c

pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes

2017-05-25 15:44:38 +02:00

pid.c

pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid()

2018-04-13 19:47:53 +02:00

profile.c

profile: Convert to hotplug state machine

2016-07-15 10:41:42 +02:00

ptrace.c

ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME

2023-05-15 13:57:11 +09:00

range.c

…

reboot.c

kexec: split kexec_load syscall from kexec core code

2015-09-10 13:29:01 -07:00

relay.c

kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE

2018-05-30 07:50:29 +02:00

resource.c

resource: fix integer overflow at reallocation

2018-04-24 09:34:09 +02:00

seccomp.c

seccomp: Move speculation migitation control to arch code

2018-05-22 16:58:02 +02:00

signal.c

kernel/signal.c: trace_signal_deliver when signal_group_exit

2023-05-15 13:40:22 +09:00

smp.c

cpu/hotplug: Fix SMT supported evaluation

2023-05-12 16:55:46 +09:00

smpboot.c

kthread/smpboot: do not park in kthread_create_on_cpu()

2016-10-11 15:06:33 -07:00

smpboot.h

cpu/hotplug: Create hotplug threads

2016-03-01 20:36:56 +01:00

softirq.c

Mark HI and TASKLET softirq synchronous

2023-05-12 16:46:40 +09:00

stacktrace.c

stacktrace, lockdep: Fix address, newline ugliness

2017-02-14 15:25:42 -08:00

stop_machine.c

stop_machine: Use raw spinlocks

2023-05-12 16:43:35 +09:00

sys_ni.c

x86/pkeys: Fix pkeys build breakage for some non-x86 arches

2016-09-13 14:41:36 +02:00

sys.c

kernel/sys.c: prctl: fix false positive in validate_prctl_map()

2023-05-15 13:47:18 +09:00

sysctl_binary.c

kernel/sysctl_binary.c: use generic UUID library

2016-05-20 17:58:30 -07:00

sysctl.c

sysctl: return -EINVAL if val violates minmax

2023-05-15 13:47:04 +09:00

task_work.c

task_work: use READ_ONCE/lockless_dereference, avoid pi_lock if !task_works

2016-08-02 19:35:02 -04:00

taskstats.c

taskstats: fix the length of cgroupstats_cmd_get_policy

2016-11-03 16:55:58 -04:00

test_kprobes.c

…

torture.c

torture: Convert torture_shutdown() to hrtimer

2016-08-22 10:01:49 -07:00

tracepoint.c

tracepoint: Do not warn on ENOMEM

2018-05-09 09:50:20 +02:00

tsacct.c

time, acct: Drop irq save & restore from __acct_update_integrals()

2016-02-29 09:53:09 +01:00

ucount.c

kernel/ucount.c: mark user_header with kmemleak_ignore()

2017-06-17 06:41:51 +02:00

uid16.c

kernel: make groups_sort calling a responsibility group_info allocators

2018-01-10 09:29:52 +01:00

up.c

smp: Add function to execute a function synchronously on a CPU

2016-09-05 13:52:39 +02:00

user_namespace.c

userns: move user access out of the mutex

2023-05-12 17:24:22 +09:00

user-return-notifier.c

…

user.c

ANDROID: proc: Add /proc/uid directory

2018-04-03 11:15:30 -07:00

utsname_sysctl.c

sys: don't hold uts_sem while accessing userspace memory

2023-05-12 17:24:20 +09:00

utsname.c

Merge branch 'nsfs-ioctls' into HEAD

2016-09-22 20:00:36 -05:00

watchdog_hld.c

debug: hard lockup detect

2018-05-09 19:39:28 -07:00

watchdog.c

debug: hard lockup detect

2018-05-09 19:39:28 -07:00

workqueue_internal.h

workqueue: Fix NULL pointer dereference

2017-11-15 15:53:17 +01:00

workqueue.c

Merge branch 'android-4.9' into amlogic-4.9-dev

2018-08-07 14:43:24 +08:00