ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272)
This commit is contained in:
parent
eb5241a213
commit
c6f3814dc4
|
@ -1,6 +1,7 @@
|
||||||
linux (4.19.37-6) UNRELEASED; urgency=medium
|
linux (4.19.37-6) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* tcp: refine memory limit test in tcp_fragment() (Closes: #930904)
|
* tcp: refine memory limit test in tcp_fragment() (Closes: #930904)
|
||||||
|
* ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272)
|
||||||
|
|
||||||
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 23 Jun 2019 16:15:17 +0200
|
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 23 Jun 2019 16:15:17 +0200
|
||||||
|
|
||||||
|
|
57
debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
vendored
Normal file
57
debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
vendored
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
From: Jann Horn <jannh@google.com>
|
||||||
|
Date: Thu, 4 Jul 2019 17:32:23 +0200
|
||||||
|
Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
|
||||||
|
Origin: https://git.kernel.org/linus/6994eefb0053799d2e07cd140df6c2ea106c41ee
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13272
|
||||||
|
|
||||||
|
Fix two issues:
|
||||||
|
|
||||||
|
When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
|
||||||
|
reference to the parent's objective credentials, then give that pointer
|
||||||
|
to get_cred(). However, the object lifetime rules for things like
|
||||||
|
struct cred do not permit unconditionally turning an RCU reference into
|
||||||
|
a stable reference.
|
||||||
|
|
||||||
|
PTRACE_TRACEME records the parent's credentials as if the parent was
|
||||||
|
acting as the subject, but that's not the case. If a malicious
|
||||||
|
unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
|
||||||
|
at a later point, the parent process becomes attacker-controlled
|
||||||
|
(because it drops privileges and calls execve()), the attacker ends up
|
||||||
|
with control over two processes with a privileged ptrace relationship,
|
||||||
|
which can be abused to ptrace a suid binary and obtain root privileges.
|
||||||
|
|
||||||
|
Fix both of these by always recording the credentials of the process
|
||||||
|
that is requesting the creation of the ptrace relationship:
|
||||||
|
current_cred() can't change under us, and current is the proper subject
|
||||||
|
for access control.
|
||||||
|
|
||||||
|
This change is theoretically userspace-visible, but I am not aware of
|
||||||
|
any code that it will actually break.
|
||||||
|
|
||||||
|
Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
|
||||||
|
Signed-off-by: Jann Horn <jannh@google.com>
|
||||||
|
Acked-by: Oleg Nesterov <oleg@redhat.com>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
---
|
||||||
|
kernel/ptrace.c | 4 +---
|
||||||
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
|
||||||
|
index 8456b6e2205f..705887f63288 100644
|
||||||
|
--- a/kernel/ptrace.c
|
||||||
|
+++ b/kernel/ptrace.c
|
||||||
|
@@ -79,9 +79,7 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent,
|
||||||
|
*/
|
||||||
|
static void ptrace_link(struct task_struct *child, struct task_struct *new_parent)
|
||||||
|
{
|
||||||
|
- rcu_read_lock();
|
||||||
|
- __ptrace_link(child, new_parent, __task_cred(new_parent));
|
||||||
|
- rcu_read_unlock();
|
||||||
|
+ __ptrace_link(child, new_parent, current_cred());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
|
@ -228,6 +228,7 @@ bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch
|
||||||
bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch
|
bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch
|
||||||
bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
|
bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
|
||||||
bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch
|
bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch
|
||||||
|
bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue