summaryrefslogtreecommitdiffstats
path: root/kernel/cred.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-06-12 03:44:45 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2019-06-12 03:44:45 +0200
commitaa7235483a838be79b7c22a86b0dc4cb12ee5dd6 (patch)
treed89a5978232e8dfaf47953a1b7d9ce7599b892b0 /kernel/cred.c
parentMerge branch 'stable/for-linus-5.2' of git://git.kernel.org/pub/scm/linux/ker... (diff)
parentptrace: restore smp_rmb() in __ptrace_may_access() (diff)
downloadlinux-aa7235483a838be79b7c22a86b0dc4cb12ee5dd6.tar.xz
linux-aa7235483a838be79b7c22a86b0dc4cb12ee5dd6.zip
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull ptrace fixes from Eric Biederman: "This is just two very minor fixes: - prevent ptrace from reading unitialized kernel memory found twice by syzkaller - restore a missing smp_rmb in ptrace_may_access and add comment tp it so it is not removed by accident again. Apologies for being a little slow about getting this to you, I am still figuring out how to develop with a little baby in the house" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: ptrace: restore smp_rmb() in __ptrace_may_access() signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
Diffstat (limited to 'kernel/cred.c')
-rw-r--r--kernel/cred.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/kernel/cred.c b/kernel/cred.c
index e74ffdc98a92..c73a87a4df13 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -446,6 +446,15 @@ int commit_creds(struct cred *new)
if (task->mm)
set_dumpable(task->mm, suid_dumpable);
task->pdeath_signal = 0;
+ /*
+ * If a task drops privileges and becomes nondumpable,
+ * the dumpability change must become visible before
+ * the credential change; otherwise, a __ptrace_may_access()
+ * racing with this change may be able to attach to a task it
+ * shouldn't be able to attach to (as if the task had dropped
+ * privileges without becoming nondumpable).
+ * Pairs with a read barrier in __ptrace_may_access().
+ */
smp_wmb();
}