Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6252980imu; Mon, 21 Jan 2019 05:54:08 -0800 (PST) X-Google-Smtp-Source: ALg8bN5qwCHzMs2oqXQoNn48jzOmqmZJalcgBqDDoelGSDOKHqhV8eMHIL/waSw54ZbsV5K2QsbQ X-Received: by 2002:aa7:84d3:: with SMTP id x19mr29617507pfn.220.1548078848510; Mon, 21 Jan 2019 05:54:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548078848; cv=none; d=google.com; s=arc-20160816; b=WacDPiScbU0e0Q8oyXUaDFwDzEpqKgZ0Ceh41no08aq2wltxdX9F8FQJdrmKnrSlhe pYFUxc2+UNE5wHAvusdtevVhiKAWP6Wkj4Evlk05hDr9k8UKXngi/K/NIUpsv6fxCKNG hR7L1S2a1RNwAmf6alC9NVojF0uBVgB78KT1wRWRVaHqMGdc3mtZlo3/fyOXoJLnlPAI oVTrX72kGSTKdkgwzc/hRrHv+e4J2uokFq1qAhOPrFetZNNSwwCRnriiC4Ztm1p1t7lk hF/ec0JMHHmW3V6UOb/kaJMTDPMKZHudx1oyQVRJ8YTqCfb9jd/R1/hJUtdBMo/kBVmh 6Dqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kzY4OGctAKA1cb6JSVEquJVhwm6AfqwW8XT3D8bK4fM=; b=cDX8nMqtC9ZlCtmmpaw3lYK6GgRYcRGN71hSDsrAXMwZs2B0Xb35eWqpCb4947pB86 PZFYcIOSn720HuxL9+Vx3+9WWyJF6eSwkSlKc6anbsGIyY3ID206gzZNtA6nY6Awh3R1 ciWvQrt98HG85qj24QhzEgXC4btUOwbbcDBhUkk2hayMhlD99Fpus/UfUPvr5CwYUPZb iaW+IwQX8Vua0eO+2Vg06ICM9C4RXbss8p9UX/4p4TO4qZ459vxpp2Z4tb8Fx7QBOZlL 8jTIVdi0uo5vr1UH0tBUbdQmAbjRMPBNawvUyRqYA2FnWb8FA8FWDtCnx6fsnjSCIPck z6Jg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=x7CLPe4c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a6si12503953pfo.90.2019.01.21.05.53.52; Mon, 21 Jan 2019 05:54:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=x7CLPe4c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731016AbfAUNwS (ORCPT + 99 others); Mon, 21 Jan 2019 08:52:18 -0500 Received: from mail.kernel.org ([198.145.29.99]:35414 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731005AbfAUNwO (ORCPT ); Mon, 21 Jan 2019 08:52:14 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BCB1B2063F; Mon, 21 Jan 2019 13:52:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548078734; bh=g7a77y0/mOAuQHKVPHEaysJVO7McXN90EdAV6+wiWnA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=x7CLPe4cAXt4QipQaUtkFdEm/EEqRIH6XwdMB+LqL2NlpSSb/QiYZFShbui+GEheM bcZTPmN5lB+zevykwlGt4OUSakaJ+tRCCL3xPENpZMcGHtWmocb+9lIOnJ7FbJZHhf uV4MHKdazzbKvhrTweWX0CRK1TA5DgWUoCoLc+jg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com, Oleg Nesterov , Kees Cook , James Morris Subject: [PATCH 4.14 24/59] Yama: Check for pid death before checking ancestry Date: Mon, 21 Jan 2019 14:43:49 +0100 Message-Id: <20190121122459.259451140@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190121122456.529172919@linuxfoundation.org> References: <20190121122456.529172919@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream. It's possible that a pid has died before we take the rcu lock, in which case we can't walk the ancestry list as it may be detached. Instead, check for death first before doing the walk. Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com Fixes: 2d514487faf1 ("security: Yama LSM") Cc: stable@vger.kernel.org Suggested-by: Oleg Nesterov Signed-off-by: Kees Cook Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman --- security/yama/yama_lsm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -373,7 +373,9 @@ static int yama_ptrace_access_check(stru break; case YAMA_SCOPE_RELATIONAL: rcu_read_lock(); - if (!task_is_descendant(current, child) && + if (!pid_alive(child)) + rc = -EPERM; + if (!rc && !task_is_descendant(current, child) && !ptracer_exception_found(current, child) && !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) rc = -EPERM;