From 1e3e001c121644ace88f9db83061ef9719291098 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 26 Jun 2020 21:37:59 +0200 Subject: [PATCH] apparmor: don't try to replace stale label in ptraceme check Closes: #963493 --- debian/changelog | 2 + ...ry-to-replace-stale-label-in-ptracem.patch | 43 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 46 insertions(+) create mode 100644 debian/patches/bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch diff --git a/debian/changelog b/debian/changelog index cdba4786e..aeaddef5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ linux (4.19.118-3) UNRELEASED; urgency=medium * ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (Closes: #960493) * [rt] Add new signing key for Tom Zanussi + * apparmor: don't try to replace stale label in ptraceme check + (Closes: #963493) -- Salvatore Bonaccorso Wed, 13 May 2020 17:44:43 +0200 diff --git a/debian/patches/bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch b/debian/patches/bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch new file mode 100644 index 000000000..412997510 --- /dev/null +++ b/debian/patches/bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch @@ -0,0 +1,43 @@ +From: Jann Horn +Date: Sat, 29 Sep 2018 03:49:26 +0200 +Subject: apparmor: don't try to replace stale label in ptraceme check +Origin: https://git.kernel.org/linus/ca3fde5214e1d24f78269b337d3f22afd6bf445e +Bug-Debian: https://bugs.debian.org/963493 + +begin_current_label_crit_section() must run in sleepable context because +when label_is_stale() is true, aa_replace_current_label() runs, which uses +prepare_creds(), which can sleep. + +Until now, the ptraceme access check (which runs with tasklist_lock held) +violated this rule. + +Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels") +Reported-by: Cyrill Gorcunov +Reported-by: kernel test robot +Signed-off-by: Jann Horn +Signed-off-by: John Johansen +--- + security/apparmor/lsm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index 2c842f24821b..d08aac05c65a 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -132,11 +132,11 @@ static int apparmor_ptrace_traceme(struct task_struct *parent) + struct aa_label *tracer, *tracee; + int error; + +- tracee = begin_current_label_crit_section(); ++ tracee = __begin_current_label_crit_section(); + tracer = aa_get_task_label(parent); + error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); + aa_put_label(tracer); +- end_current_label_crit_section(tracee); ++ __end_current_label_crit_section(tracee); + + return error; + } +-- +2.27.0 + diff --git a/debian/patches/series b/debian/patches/series index 7c5e87467..fe2527ec2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -102,6 +102,7 @@ bugfix/all/mt76-use-the-correct-hweight8-function.patch bugfix/all/rtc-s35390a-set-uie_unsupported.patch bugfix/all/include-uapi-linux-swab.h-fix-userspace-breakage-use.patch bugfix/all/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch +bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch # Miscellaneous features