Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3011814ybi; Mon, 17 Jun 2019 14:39:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqzElVhxeWNgHbuh5KGs5y9k6LnRmV/oMywy0FkG2ll93t5+qFhlBhNSvjIoqzBJKKy3d2r/ X-Received: by 2002:a62:3605:: with SMTP id d5mr117117014pfa.28.1560807559983; Mon, 17 Jun 2019 14:39:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560807559; cv=none; d=google.com; s=arc-20160816; b=V7gMVO92HBk1nxFeoAQK/kpVrLwgXwQ7DH0KGuZZf/NVuVHflqOJO3sTc7tQWZwEoh jMJote6WRMTBMTdzIHFRLwdYRG2q4+RE2agJLhuDxGbN+IxN0lgesaW1AKKx69GMo970 qjILfJXxhiVzLm6BGongXY3pb/hn8y9NJaqyBqGPCd5rJZuVF7K+BxcVy4NwlsTytVRu +wvVROw3+e/OjUzhmY0eLpTY8GnC0BL2tvR8e52UuLy+OjZlnOBYIlP/cN/wKjwq6i/1 eKx5uP8snCS06Fhi4FVQhehXSEFddDZiQq31AKOZ5sV1hQ3qNNo1dmls8OLnCYprBOKm O1Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=q643mtlYvJaaXHdjJUUKu8921sdB3Ry1T1ZTHHZkYUk=; b=mBsXYjWaoahLjX8yJxZGU25G+x5nYiv1A6Tfh5KoxNkICI5lIce2DdlC32lgK35rAV 0Vxt6VYfh0onKxlS4DfBZky5gfUwP2NE7Vy8sqfLeb3o8yMO8ef3OPiG+tlMQ9a0GGdl adRlT1Favf2LWpQ+k00EdeCvxKIuOvqmcIEVhy3d1Jc0owsbO9I9y5EKTJmektY7r6yK JzOwwgw2YBX8Wum0AvshQ1YIA2ktmSg1uZmqu4JnqvtVyjZGfjHnhWU6Qc+dtrlr48A0 qtBgXjS9q//I+WHke0QE7PPee29eioQtV/sjb0ohputFmyyBhwxFw/I24cJ0L2I5J2JU Gqhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wE1hkPYN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d67si10110057pgc.62.2019.06.17.14.39.04; Mon, 17 Jun 2019 14:39:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wE1hkPYN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728797AbfFQVTZ (ORCPT + 99 others); Mon, 17 Jun 2019 17:19:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:43160 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728753AbfFQVTX (ORCPT ); Mon, 17 Jun 2019 17:19:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8073120861; Mon, 17 Jun 2019 21:19:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560806363; bh=t1pnHkiMF9SWwsIGha+06k/Ipy6GL626EqbrM5cEYcU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wE1hkPYNgL0wnDFqj2Zuu7qs4UKthEQGLF+79VdtfkqHkeiqDjKVCl6AzhoHBtIZV jGGlrFoHnM1Hj6hEpHZnIjad9JoGec++/JZdZYbXEVMFeyf/RGuH8sotZYfrPdQkWc 4yM11MREmxeX7wBPqUToLSIZ8U5zm+rGjczywtds= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Oleg Nesterov , Jann Horn , "Eric W. Biederman" Subject: [PATCH 5.1 026/115] ptrace: restore smp_rmb() in __ptrace_may_access() Date: Mon, 17 Jun 2019 23:08:46 +0200 Message-Id: <20190617210801.285626070@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190617210759.929316339@linuxfoundation.org> References: <20190617210759.929316339@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit f6581f5b55141a95657ef5742cf6a6bfa20a109f upstream. Restore the read memory barrier in __ptrace_may_access() that was deleted a couple years ago. Also add comments on this barrier and the one it pairs with to explain why they're there (as far as I understand). Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks") Cc: stable@vger.kernel.org Acked-by: Kees Cook Acked-by: Oleg Nesterov Signed-off-by: Jann Horn Signed-off-by: Eric W. Biederman Signed-off-by: Greg Kroah-Hartman --- kernel/cred.c | 9 +++++++++ kernel/ptrace.c | 10 ++++++++++ 2 files changed, 19 insertions(+) --- a/kernel/cred.c +++ b/kernel/cred.c @@ -450,6 +450,15 @@ int commit_creds(struct cred *new) if (task->mm) set_dumpable(task->mm, suid_dumpable); task->pdeath_signal = 0; + /* + * If a task drops privileges and becomes nondumpable, + * the dumpability change must become visible before + * the credential change; otherwise, a __ptrace_may_access() + * racing with this change may be able to attach to a task it + * shouldn't be able to attach to (as if the task had dropped + * privileges without becoming nondumpable). + * Pairs with a read barrier in __ptrace_may_access(). + */ smp_wmb(); } --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -323,6 +323,16 @@ static int __ptrace_may_access(struct ta return -EPERM; ok: rcu_read_unlock(); + /* + * If a task drops privileges and becomes nondumpable (through a syscall + * like setresuid()) while we are trying to access it, we must ensure + * that the dumpability is read after the credentials; otherwise, + * we may be able to attach to a task that we shouldn't be able to + * attach to (as if the task had dropped privileges without becoming + * nondumpable). + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); mm = task->mm; if (mm && ((get_dumpable(mm) != SUID_DUMP_USER) &&