Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2365173imu; Thu, 24 Jan 2019 11:28:04 -0800 (PST) X-Google-Smtp-Source: ALg8bN6uQ1p9rPSQ1jjIZxTEGLDFjr0OQWOn0vn1kk67zA8Qn+QHD8ZRVOnbplcXgHegXHiNI0r0 X-Received: by 2002:a62:3811:: with SMTP id f17mr7959724pfa.206.1548358083940; Thu, 24 Jan 2019 11:28:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548358083; cv=none; d=google.com; s=arc-20160816; b=RlyLowVmebniCNHLBimVG8c0kzcW7M+qpFHMUvB1PzfCRbZuqULcKfA7oqPFNDP5bS jkZQbF3SZdOachA+7JpjHpUNFbpLNjR967aC+3Y2QRKSRGO6/kulYItCECiL70C7ruAn 5W1oY80fqRQCxUqOBajPAMx5IaLk9LKbTpm3E1j2imMG5mBl4MBNwS8r6r/rl6bxuayX KwwLLDfPuG/Z00N01DYZclIDoXUzS9DpbDWqLnU3Jwdu2pEDC6EMih/GVR9HFPjU87ml ftANNdnVoXh0Ox+1yDpMp1hfLB3Qmxc004hF7mLEx0U5Zsd3W7z1RnmgbsuBIYsLTnPx pOzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CBdPKDe4hnYC9NMVUGe8q+qX3ryWYzRBfpT2jvwZsjQ=; b=XwHHfFsaNZ54pDvbNF5mRj6kXsN1egDcoaUvUWifs/SZA55LdD3P0/COneV3vxaKm9 Jk9cVn45mQ3h+6EwYGQbunnkg3diUNlW2AgSB5Vmw0vrXHYCCLfm6fHMmTAxXxlNFUTw Nt5Pep+QjMjqjNtHaI/5GA+J4GQXmOw0UrQr8dLTrcOKHiGZkr95RJzywWKs8Ff2CsS0 FME9wq9mQim9CWforXnO1xeEWWDXjy6hk3PKQAIg5l2mwhj/E5V14ZFojgrtR+P3VyFx AnKTL9pHAwXUc5YqJuX2dqZ70YTGVfsN/tb/dEGNf4oMZyYloVUv6jINjVXcQr0YaflM 6avQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=I8li1EO8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 2si23077920pfd.154.2019.01.24.11.27.49; Thu, 24 Jan 2019 11:28:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=I8li1EO8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730414AbfAXTZ6 (ORCPT + 99 others); Thu, 24 Jan 2019 14:25:58 -0500 Received: from mail.kernel.org ([198.145.29.99]:51744 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729680AbfAXTZ4 (ORCPT ); Thu, 24 Jan 2019 14:25:56 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 706FF217D7; Thu, 24 Jan 2019 19:25:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548357955; bh=jVn0Q5RodvRQmDLJgakOPbwwNp4Rl4FFNWLh6z/3LQ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I8li1EO8OO/QdEgXXkMmK7E2ksJN4BTbdy5eRM5zxNnkzNXU9ZEtBbu0MUKaovza8 rahpngH//J0IpuAWqwY8tFf5Shag7JXUQdl/etYg4Bb8QP6LwW0TuLDQ2Kilh1apzL lT/4kH6IJMeohuc7AZVgb0DVypN+OjP1lt3LuNqQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com, Oleg Nesterov , Kees Cook , James Morris Subject: [PATCH 4.4 049/104] Yama: Check for pid death before checking ancestry Date: Thu, 24 Jan 2019 20:19:38 +0100 Message-Id: <20190124190201.140687919@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190124190154.968308875@linuxfoundation.org> References: <20190124190154.968308875@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream. It's possible that a pid has died before we take the rcu lock, in which case we can't walk the ancestry list as it may be detached. Instead, check for death first before doing the walk. Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com Fixes: 2d514487faf1 ("security: Yama LSM") Cc: stable@vger.kernel.org Suggested-by: Oleg Nesterov Signed-off-by: Kees Cook Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman --- security/yama/yama_lsm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -288,7 +288,9 @@ static int yama_ptrace_access_check(stru break; case YAMA_SCOPE_RELATIONAL: rcu_read_lock(); - if (!task_is_descendant(current, child) && + if (!pid_alive(child)) + rc = -EPERM; + if (!rc && !task_is_descendant(current, child) && !ptracer_exception_found(current, child) && !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) rc = -EPERM;