diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-06-12 03:44:45 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-06-12 03:44:45 +0200 |
commit | aa7235483a838be79b7c22a86b0dc4cb12ee5dd6 (patch) | |
tree | d89a5978232e8dfaf47953a1b7d9ce7599b892b0 /kernel/cred.c | |
parent | Merge branch 'stable/for-linus-5.2' of git://git.kernel.org/pub/scm/linux/ker... (diff) | |
parent | ptrace: restore smp_rmb() in __ptrace_may_access() (diff) | |
download | linux-aa7235483a838be79b7c22a86b0dc4cb12ee5dd6.tar.xz linux-aa7235483a838be79b7c22a86b0dc4cb12ee5dd6.zip |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull ptrace fixes from Eric Biederman:
"This is just two very minor fixes:
- prevent ptrace from reading unitialized kernel memory found twice
by syzkaller
- restore a missing smp_rmb in ptrace_may_access and add comment tp
it so it is not removed by accident again.
Apologies for being a little slow about getting this to you, I am
still figuring out how to develop with a little baby in the house"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
ptrace: restore smp_rmb() in __ptrace_may_access()
signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
Diffstat (limited to 'kernel/cred.c')
-rw-r--r-- | kernel/cred.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/kernel/cred.c b/kernel/cred.c index e74ffdc98a92..c73a87a4df13 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -446,6 +446,15 @@ int commit_creds(struct cred *new) if (task->mm) set_dumpable(task->mm, suid_dumpable); task->pdeath_signal = 0; + /* + * If a task drops privileges and becomes nondumpable, + * the dumpability change must become visible before + * the credential change; otherwise, a __ptrace_may_access() + * racing with this change may be able to attach to a task it + * shouldn't be able to attach to (as if the task had dropped + * privileges without becoming nondumpable). + * Pairs with a read barrier in __ptrace_may_access(). + */ smp_wmb(); } |