Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6256412imu; Mon, 21 Jan 2019 05:58:10 -0800 (PST) X-Google-Smtp-Source: ALg8bN6Vl0CQR8eX6EO0v0gLKna/D31rgt+oArxyiE/k/N+DT/Hj4NY5tvpLVq3TASYzEAt8+x7Z X-Received: by 2002:a63:5252:: with SMTP id s18mr28122949pgl.326.1548079089999; Mon, 21 Jan 2019 05:58:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548079089; cv=none; d=google.com; s=arc-20160816; b=OYntaEies8nBYhUNdk2xaPBBUvXVvLOsMhJzCX6N38NzD1qF3KLxyugVMfWgBW3KAl 5V9FpAMkqOoeeKlJ+GfN+4sjrHV/yyYpby4e0qsPwiJ+/0x4onbCz5Rg/wqWGphNHNn+ enhXCfmF+0RhfySdwoI8xj6DKy80QLKqswNSKnfQm3wO8xXsH599wG30erku0VVvMr6e EswW8TaBtphsCA1SGQozcxqd/7LfbFV/FkchQNr2MG/ElavXeyMcc50edH3Eue4kJkTm V4VELfM/CwkwceesOi2CQkV5uRay/lsa61vUUvAEupNGjCEkCx0DDkGqicTcnAm7o7u2 OkqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2I1utXfaRv5qNqLZBrzDsEQ4rBXxCNS0v9O6mYaYOIk=; b=AiNB+Ih6JkLqq2tz5Z9Y8LNqHewlg2O3w1NzAK1TFJZYjkDGEsMa2Gx/vykDu3tTCc ClpCUJxR7I9nW9+RDY3AquY7YybULJJxH7CNiY7TKCI88O8Bfp6Mlgzwydl+2VPDbLeX +mwKo10rl/+ey2paAA/GD/5zPX43++2hrQnKdNYfqn9Yr5OP/1DqOFc1TYW9GHymISME wx30zY4zEz4HwKA+YfAHoNjAewgNByvaxUD8qcqR41m5UVCWjX8QCRLGzZfS2pkznob6 JAL4zrZ0bOSXP8GZ/qVGo/iNrkOfHczZ9hD/XyJziFELpBZLLUm/XQ8muyQvs2jgDTDI TlkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Is7e8i+q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o68si13826158pfo.140.2019.01.21.05.57.54; Mon, 21 Jan 2019 05:58:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Is7e8i+q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730893AbfAUNzB (ORCPT + 99 others); Mon, 21 Jan 2019 08:55:01 -0500 Received: from mail.kernel.org ([198.145.29.99]:39390 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731631AbfAUNy7 (ORCPT ); Mon, 21 Jan 2019 08:54:59 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 47B4E20861; Mon, 21 Jan 2019 13:54:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548078898; bh=Zn15jCNdKS36PgQUdgBWv/F88tomBwup5MGXK0KCGic=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Is7e8i+qUeCfX3id7k97kO+yjCCiy+o15QTbpoeTYvy+gIQdteb+vfrzAyFqrwOZe 9KY1qWdGKYYAx3nAWhCcJBi2/VPn6fqJi2QROe3pH4weE7ODVYvOWFZJg1jXt7O/PO xSyflYt5S8/C6EpsR5V0OnyyHVqmubo3sifxGPwE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com, Oleg Nesterov , Kees Cook , James Morris Subject: [PATCH 4.9 22/51] Yama: Check for pid death before checking ancestry Date: Mon, 21 Jan 2019 14:44:18 +0100 Message-Id: <20190121122455.586108864@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190121122453.700446926@linuxfoundation.org> References: <20190121122453.700446926@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream. It's possible that a pid has died before we take the rcu lock, in which case we can't walk the ancestry list as it may be detached. Instead, check for death first before doing the walk. Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com Fixes: 2d514487faf1 ("security: Yama LSM") Cc: stable@vger.kernel.org Suggested-by: Oleg Nesterov Signed-off-by: Kees Cook Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman --- security/yama/yama_lsm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -359,7 +359,9 @@ static int yama_ptrace_access_check(stru break; case YAMA_SCOPE_RELATIONAL: rcu_read_lock(); - if (!task_is_descendant(current, child) && + if (!pid_alive(child)) + rc = -EPERM; + if (!rc && !task_is_descendant(current, child) && !ptracer_exception_found(current, child) && !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) rc = -EPERM;