Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6266192imu; Mon, 21 Jan 2019 06:06:04 -0800 (PST) X-Google-Smtp-Source: ALg8bN7TevAkd42TG9Tbf4Y39vNkHwm1fzCE/Q+d93Jm5D7m3xJp+xBqCPwVBkXwd0KxXFZZdO8M X-Received: by 2002:a17:902:7848:: with SMTP id e8mr30932510pln.100.1548079564046; Mon, 21 Jan 2019 06:06:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548079564; cv=none; d=google.com; s=arc-20160816; b=nL9VehkayavUPaPt0n4qJEXW8JV1fhg9sL0XNgbEvLyPM0iZN8l/Y5q7IZCJ2LnBvC RQIrStOGvzjkiyraKDTHqqZh9bWelXHGsTE5iczWjbZIdJIMHYatYNUWXihYn8rzBoKV Yt4g5TtGRZU0cXFQAFjpU8Tl6sGBuL1q7O+/x+J1QU5RkTQenlHTa6DiqM/SP2hBqN0j JEBEwGZjLOBND1o5y6AdKtC2MSMfjo2xWKKUTt8ip4Eq5aAd7Kq7brz5HFqQzs1UL9qn hi37zELhxi0zZ/Qxnzb10oIQNg0zUmQpHqdM1A9XDxT5C57jPSI+jL/abD1OvG5FxBi2 q8cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=TQUPw3Dyq+t3+clidgNuoDR6cuONDxq08Oz6MfPo4+Y=; b=ilVbJK8aKud2H4m5Ev8H0o2YnNLqA6i+Y+zvpx2rqmnlJnOqmkwVUWCZ+7ZwSyCBGG LCpILJcnBB2AguzQFs7vEbmDnCcAew4HDB+505dd+xCaRs7zD6m8cibqlqZ80bPY3hyo s3RtFDk3tyxAPkgOQwwNNR3eNotW4d6KTCNPFsER3BCKfntrNKjyvbV4LxLGyoPREBXF mU/9qk+wXmU2kMS8Du4CIC/nA8aV9aF9DEL/cndDNI+YKc7QltTilpvNatcBu0sBAny9 tgqmYkPQ5tH6mgZxxPvEhXUvk0ws/TVlCKITk7ctR57fmeGMqFLcCgdvzptIKs127Bme k/Ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rVtx4E3t; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b7si12724283plb.234.2019.01.21.06.05.47; Mon, 21 Jan 2019 06:06:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rVtx4E3t; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731904AbfAUOBy (ORCPT + 99 others); Mon, 21 Jan 2019 09:01:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:48974 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732691AbfAUOBt (ORCPT ); Mon, 21 Jan 2019 09:01:49 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A4ABD2089F; Mon, 21 Jan 2019 14:01:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548079308; bh=/yr1c7rMVvQB+7T6SBLFyVAMjdDJpnheNJoB8yeOFf0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rVtx4E3tbGWk+f9l45dnK9JPB5O/NUfbnDpWGUP/PVNJTr3q3iDsS5QpDtzsJePcA vknzu5hSt/yeQiKvZG3zqAQoHD59X6vzpvunwrlFzjJniWc5vmdkawJRKBcN924Ku0 WzQkOmwJokxbA7gajk8fY5JOkD8MGej/M0aOd6Mk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com, Oleg Nesterov , Kees Cook , James Morris Subject: [PATCH 4.19 42/99] Yama: Check for pid death before checking ancestry Date: Mon, 21 Jan 2019 14:48:34 +0100 Message-Id: <20190121134915.566276547@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190121134913.924726465@linuxfoundation.org> References: <20190121134913.924726465@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream. It's possible that a pid has died before we take the rcu lock, in which case we can't walk the ancestry list as it may be detached. Instead, check for death first before doing the walk. Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com Fixes: 2d514487faf1 ("security: Yama LSM") Cc: stable@vger.kernel.org Suggested-by: Oleg Nesterov Signed-off-by: Kees Cook Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman --- security/yama/yama_lsm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -368,7 +368,9 @@ static int yama_ptrace_access_check(stru break; case YAMA_SCOPE_RELATIONAL: rcu_read_lock(); - if (!task_is_descendant(current, child) && + if (!pid_alive(child)) + rc = -EPERM; + if (!rc && !task_is_descendant(current, child) && !ptracer_exception_found(current, child) && !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) rc = -EPERM;