From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from thejh.net ([37.221.195.125]:48234 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1761444AbcIWUkw (ORCPT ); Fri, 23 Sep 2016 16:40:52 -0400 From: Jann Horn To: Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise , Ben Hutchings , Andy Lutomirski , Linus Torvalds Cc: linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Subject: [PATCH v2 6/8] ptrace: warn on ptrace_may_access without proper locking Date: Fri, 23 Sep 2016 22:40:36 +0200 Message-Id: <1474663238-22134-7-git-send-email-jann@thejh.net> In-Reply-To: <1474663238-22134-1-git-send-email-jann@thejh.net> References: <1474663238-22134-1-git-send-email-jann@thejh.net> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: If neither of those locks is taken during a ptrace_may_access() call, that is a strong indicator for a security bug where post-execve process properties can be leaked by racing with execve(). Signed-off-by: Jann Horn --- kernel/ptrace.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 29ace11..17c2245 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -225,6 +225,9 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode, kuid_t caller_uid; kgid_t caller_gid; + WARN_ON(!mutex_is_locked(&task->signal->cred_guard_mutex) && + !mutex_is_locked(&task->signal->cred_guard_light)); + if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) { WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n"); return -EPERM; -- 2.1.4