Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1264860imu; Wed, 16 Jan 2019 16:00:50 -0800 (PST) X-Google-Smtp-Source: ALg8bN4gZjhXOE3CXbI/XgqtYWZ4qInrxUWZbisRxNTlzHGyhF9vmhAgRlBzfBmc/RgABufvADqr X-Received: by 2002:a63:1444:: with SMTP id 4mr11379676pgu.430.1547683250283; Wed, 16 Jan 2019 16:00:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547683250; cv=none; d=google.com; s=arc-20160816; b=MaN2muSb9SIl/m96Xxtw2K6372OuUcfMoDjZw7kCbqRnjOU/VTaW3Xwt2DTpGWAhhX KEOEaScucr7vpLIW0TdHbinaFf1IPdmj2RDSYndZ0r0HRAJlblRs/5Ad5tOwZeBTNhPe DGnSPSQJFcKLZXVrDfA4m/KNR/3jEQNyQ8PygwO+gn/TWntCdclK/3MWWztVbL11SEc7 T6NJOUYO08u7fiPhhJIsK6r5goLjp28dQAFsbg+llvwCWCkGOVjECZoIMtUtX3/hYQ3z Rd+F8SvVFIG8kpG5+79Pn0o9achCZrZWg3GWffgzho/omAwgNNIh0Hmk3MaE+FJlTvY9 aYbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:mime-version :message-id:subject:cc:to:from:date:dkim-signature; bh=dHSazQ7qGm2UKIzzWog2IYg+72OPhXPfMJM+TsIBw6g=; b=CM+EHTsImyO3ps7OSbm4QHmqkCZlfsD00Q04YQd4DnM4uPOO7csC6bvamGx6a/vWeF o17sBbruX9Bcl9UGT6OeIzn7foIHi/SUyUcu6p+GATG3FqSlIO/TzkiNsRHIoJ97P28E amZ7i0TvFFMREiUxDJYnLZhFaA0nyUjW/VBpGpS0XlZTrihNh7pH2KWksvrof4ngcl2v bsA0UlRchx4JynFqPLuo04tRvcJrIoAq37bRVAJyIs/BVs4dFUiEwNviTklABSXT6E6Y OGgNMPdE9IIoV1KrqWrLl8xJWCc1LM4UgOEgduk2GIPF9mh9b7Ajj2dJlThlGuPu1vhd UgDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=oc+Zg9qc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s191si7808770pfs.53.2019.01.16.16.00.31; Wed, 16 Jan 2019 16:00:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=oc+Zg9qc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728952AbfAPSbN (ORCPT + 99 others); Wed, 16 Jan 2019 13:31:13 -0500 Received: from mail-pg1-f195.google.com ([209.85.215.195]:42277 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728855AbfAPSbM (ORCPT ); Wed, 16 Jan 2019 13:31:12 -0500 Received: by mail-pg1-f195.google.com with SMTP id d72so3182615pga.9 for ; Wed, 16 Jan 2019 10:31:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=dHSazQ7qGm2UKIzzWog2IYg+72OPhXPfMJM+TsIBw6g=; b=oc+Zg9qcwExCefgBVQow/0OPvZrOxpfIcZvPTxksMyF90W8LF+6GOyjKGCdvgmJ12Q jzKxp/kb7S4ZMWNM62beUsxiJfgkAm45XtHaen6iTR4nsvRCWwMMzEDRj4gjL0YGobPw hX9u4qUWL0PLptWpT8icrFMYvigBZfY+qLs3Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=dHSazQ7qGm2UKIzzWog2IYg+72OPhXPfMJM+TsIBw6g=; b=VjSDWy9pG0tw8Tq/iGkgaZxkOiLxW/9KN9n1dQxlD5MVrYZH6xSThK7Uo+wwg/1hyt jTly3IeNn1ZM2YpNZjeWEmHxyecbcMovdc882AGepaMCQnbgEWTWt3B5HoswJjAmHVcd Ir8cxRINIkbkKAqaeKXlnOcyTkOp9M9GOOR8YGO76LRUnnPpvGZRieKaQLxow0IuFVhp cJa7WumclQVka+kuQ3g3oDg4VNxYMyTk7GSyfR13gQc6XeuiS8IPbNLG0fUcRT6oQyhD 4CrvRJ1pwZxykWAo0R/ILM9g5nAeZf/QD041lVk9BQfd2GC6LPdWDv1iBdEyJQjPzpAb XVFQ== X-Gm-Message-State: AJcUukfRrQYuh4yFyg4l/2G4keRcrFpvlsc5tBLOQEUns8AT9gr9J0hR dvzA8YHvBPILAdtyuvhU75HODw== X-Received: by 2002:a63:2784:: with SMTP id n126mr10315231pgn.48.1547663471587; Wed, 16 Jan 2019 10:31:11 -0800 (PST) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id 184sm9071194pfe.106.2019.01.16.10.31.10 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 16 Jan 2019 10:31:10 -0800 (PST) Date: Wed, 16 Jan 2019 10:31:09 -0800 From: Kees Cook To: James Morris Cc: Oleg Nesterov , Tetsuo Handa , "Serge E. Hallyn" , LKML , linux-security-module , syzbot , syzkaller-bugs@googlegroups.com Subject: [PATCH] Yama: Check for pid death before checking ancestry Message-ID: <20190116183109.GA21722@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org It's possible that a pid has died before we take the rcu lock, in which case we can't walk the ancestry list as it may be detached. Instead, check for death first before doing the walk. Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com Fixes: 2d514487faf1 ("security: Yama LSM") Cc: stable@vger.kernel.org Suggested-by: Oleg Nesterov Signed-off-by: Kees Cook --- James, can you please send this to Linus in your -fixes tree? --- security/yama/yama_lsm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index ffda91a4a1aa..02514fe558b4 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -368,7 +368,9 @@ static int yama_ptrace_access_check(struct task_struct *child, break; case YAMA_SCOPE_RELATIONAL: rcu_read_lock(); - if (!task_is_descendant(current, child) && + if (!pid_alive(child)) + rc = -EPERM; + if (!rc && !task_is_descendant(current, child) && !ptracer_exception_found(current, child) && !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) rc = -EPERM; -- 2.17.1 -- Kees Cook