Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp6206007ybi; Wed, 29 May 2019 04:35:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqziPQu5ZKstiymPQc+qta5JIMly/0HtfrBo/feoG0B79H9B4G/H/eWN0s+TFsZxEUgrKS6f X-Received: by 2002:a17:902:868f:: with SMTP id g15mr2504498plo.67.1559129702315; Wed, 29 May 2019 04:35:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559129702; cv=none; d=google.com; s=arc-20160816; b=lnnYYEmHqRwQja+/3g/WWD2n0Z7HMVcTZ+Q3Sz7U1PcDMxBT1mDguYNO7RhZ7Xu6A6 FTCwi32PELuJyZSBBs8bxOAncW42M3GX8egpYN97jMBZlR4Dh1n3X+KZIOTo/5w3C5Iu FiUsXYgu9wGmIgg2zIl2/+d+wcIBo9KA30Uk5oF8JoVgu01Yd0FoYyd3pNCVe5k2H82U LyWV/eyptVfWj15z4HwhX7BMYnBjKGn4mtLpPosG6g6CNSgS/oytFnUuRGJkke5Rtuxu Bav1FMwV+PQWgV8nqRc82A75guRKYkvp+GUDWIiOd9mN+BRSEL7aYiotee6pu0p1atTo iRMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=EPoVy8lx0burcqRe9tnNKcLoXN9lfRRXZMjhWxr4XRw=; b=NX96bG/B+0OEx1qOYFoinAT5hi0JbVmTPLSVipGFwN35jg4PNzvwQgjGovTeiS/5gj 42NlaUHVoxjyrq3PfqtGhECf8pvCxKoU9d91K2SlE3q3jCT2TENRC2E6CCT4BaH14zhD cLbixjQZfauynEmK4BZwpRiy/CFkV+UJ5b5g8jjlq2/VAM0Tid9TDxH3wz2jJN2vd2el Y8iqng8lmxPVbZPHMylZJZash31uYhImKIUKeiJgXB6wtsNKy3xKuLiZq5IUVtjhKaNl zX1WYfZ1mrxgIAjXZ+vlcvHrVos4WuVfvF+GMBMB2/TE0wAK9pNqlxXuHYZtgWTOgyBn 6Jpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CWsIJryF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p91si27395326plb.165.2019.05.29.04.34.46; Wed, 29 May 2019 04:35:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CWsIJryF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726893AbfE2LdG (ORCPT + 99 others); Wed, 29 May 2019 07:33:06 -0400 Received: from mail-vk1-f202.google.com ([209.85.221.202]:42324 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726791AbfE2LdF (ORCPT ); Wed, 29 May 2019 07:33:05 -0400 Received: by mail-vk1-f202.google.com with SMTP id l20so847656vkl.9 for ; Wed, 29 May 2019 04:33:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=EPoVy8lx0burcqRe9tnNKcLoXN9lfRRXZMjhWxr4XRw=; b=CWsIJryFsXwTbU5c7t9lokMjdfRXXNr0foOaD5TZxOkCPbrKdjqCdooJY+N16Zcdc+ lhmPlI7p4rC/EpxHYMXFECQ2hJoea2SQPwNMH8vwMvJboBKEpU/UTfkvG8VsG3quMpRX vKUcAGSA1Vi2zbLJAQODn62wcO4PmJVZOdpkzdgbSWl/Ilt+iHpHdV3QMShxa00Uw8ek qisJYnAW1PIc4/TeIluzaTHmZxmai/af998YqoRPXcJMEpS+B5cHqwKXrwdtot7AnK8u +d6XZqUa7u7ZvCmR4u5n2mn13+wpdPddyVscYCb6XnDn6NIPOmpIqk8tZ6RBBjULAQZg Th+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=EPoVy8lx0burcqRe9tnNKcLoXN9lfRRXZMjhWxr4XRw=; b=bFpn4chsY8nYkUQjh7itA4LdsV4EDb0Ith85VB10aLdSqdbPhvYxGhsWZ0ZauHQn86 Fp6UiE5ArZd+pyFOrId/SvN0CYp7IY96X+O5Una+MT5mcguUEXhIMHdyO5wTonJWhJtS JVp0tDMTD4+63mVg/33PwoRsc0Mm/lFWSLYAJskWz3E/8qUxFF5yxEu1uTJTjDQjz90h UM51bb9UXAscx4WdxuGTigiVidFmD819MLrcMlpiPrH6Ywgy03EEJOim5RZM0KJDUPQH TpPUjuXsVMd0wAy5PDPREYkxe2xYtfjw75IGYWrehmGJ1CWTR5yPx3zk1tHUSmtj2uH7 bg2w== X-Gm-Message-State: APjAAAWwfOUSoigVtUNzWZwgWmIYtCC0ijrzsuPq9dE6obayfglT8QyX 7l2OFhIn2CaRtqyRPp+mQS4buUhfjw== X-Received: by 2002:ab0:14cb:: with SMTP id f11mr7593106uae.24.1559129583868; Wed, 29 May 2019 04:33:03 -0700 (PDT) Date: Wed, 29 May 2019 13:31:57 +0200 Message-Id: <20190529113157.227380-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.22.0.rc1.257.g3120a18244-goog Subject: [PATCH] ptrace: restore smp_rmb() in __ptrace_may_access() From: Jann Horn To: Oleg Nesterov , "Eric W . Biederman" , jannh@google.com Cc: Andrew Morton , Kees Cook , David Howells , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Restore the read memory barrier in __ptrace_may_access() that was deleted a couple years ago. Also add comments on this barrier and the one it pairs with to explain why they're there (as far as I understand). Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn --- (I have no clue whatsoever what the relevant tree for this is, but I guess Oleg is the relevant maintainer?) kernel/cred.c | 9 +++++++++ kernel/ptrace.c | 10 ++++++++++ 2 files changed, 19 insertions(+) diff --git a/kernel/cred.c b/kernel/cred.c index 45d77284aed0..07e069d00696 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -450,6 +450,15 @@ int commit_creds(struct cred *new) if (task->mm) set_dumpable(task->mm, suid_dumpable); task->pdeath_signal = 0; + /* + * If a task drops privileges and becomes nondumpable, + * the dumpability change must become visible before + * the credential change; otherwise, a __ptrace_may_access() + * racing with this change may be able to attach to a task it + * shouldn't be able to attach to (as if the task had dropped + * privileges without becoming nondumpable). + * Pairs with a read barrier in __ptrace_may_access(). + */ smp_wmb(); } diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 5710d07e67cf..e54452c2954b 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -324,6 +324,16 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) return -EPERM; ok: rcu_read_unlock(); + /* + * If a task drops privileges and becomes nondumpable (through a syscall + * like setresuid()) while we are trying to access it, we must ensure + * that the dumpability is read after the credentials; otherwise, + * we may be able to attach to a task that we shouldn't be able to + * attach to (as if the task had dropped privileges without becoming + * nondumpable). + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); mm = task->mm; if (mm && ((get_dumpable(mm) != SUID_DUMP_USER) && -- 2.22.0.rc1.257.g3120a18244-goog