Release linux (4.19.37-5+deb10u1).

-----BEGIN PGP SIGNATURE----- iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0xhh1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E8nEP/iF7NUo1hvYNR/ueapgtpnMaHh/OeiGp x5/4RQW9Lo+Y8djiJWr9Kh7DVT7zp2k6OOb6o2qypgpEpFGGZAf02E3kheTJMhJz XxDHyGRflQpXDsEbPCcWCXvJjH/7puV/GWATPYo9qE/hs9rBAiFsOlOTqWSJf8Yd rVxjRRXe9/qRcOV4OJyiuL2GbeL7eO3TqTEl1NVSNP4V1RjYFFy/CUelWAcGzUOI tkk+NM7CEspQQhpIRkSGB+GyYMvOFNi2mkrz+mJbSUeb75uiZq3myJqHiQOKpwHe OGJiVBD4Ce8pv3PvR9bFZwgOV2t1XTDOeyUcmh8C07SblwI6iM/vi/nWw7B9VUEH X2EB/3/TuhKgJHtYpFZdi1mlRrt+6YYgDmbFVUyjojZhOONlVagwq2vaX0ep6yI4 FOQo4kpCG10yse4JxUS0Unv6hk7ShfLe/Kb9lOJvPSZM5dCutWTQrRO05gTyFaev orMZou9lsXYDTzpFAICE2ZhCcySvYLqvPkkCoabiECMlJE2Ra/rsHiuQEcSNjG8E A8EqJhElt+W8mvTkofG5yL3oguD6yg4Qf0luKOl0bEcZyBXDbK4nHtHAwcBNoR5X zNfrikCyo7jPX3JGH3F8wYE9vc04SO+YEkvcyZcLTOUBiDIpZgC4r3IOyBDgzv1K KDIBNpFCBL0Z =794G -----END PGP SIGNATURE----- Merge tag 'debian/4.19.37-5+deb10u1' into buster Release linux (4.19.37-5+deb10u1).
2019-07-20 23:07:45 +02:00 · 2019-07-20 23:07:45 +02:00 · 01d9fffd29
parent 2a02d306dd 786d73da80
commit 01d9fffd29
3 changed files with 65 additions and 3 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -3,9 +3,6 @@ linux (4.19.37-6) UNRELEASED; urgency=medium
  [ John Paul Adrian Glaubitz ]
  * [sh4]: Check for kprobe trap number before trying to handle a kprobe trap

-  [ Salvatore Bonaccorso ]
-  * tcp: refine memory limit test in tcp_fragment() (Closes: #930904)
-
  [ Steve McIntyre ]
  * [arm64] Improve support for the Huawei TaiShan server platform
    (Closes: #930554):
@ -16,6 +13,13 @@ linux (4.19.37-6) UNRELEASED; urgency=medium

 -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 23 Jun 2019 16:15:17 +0200

+linux (4.19.37-5+deb10u1) buster-security; urgency=high
+
+  * tcp: refine memory limit test in tcp_fragment() (Closes: #930904)
+  * ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 19 Jul 2019 10:45:17 +0200
+
 linux (4.19.37-5) unstable; urgency=medium

  [ Romain Perier ]
--- a/debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
+++ b/debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
@ -0,0 +1,57 @@
+From: Jann Horn <jannh@google.com>
+Date: Thu, 4 Jul 2019 17:32:23 +0200
+Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
+Origin: https://git.kernel.org/linus/6994eefb0053799d2e07cd140df6c2ea106c41ee
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13272
+
+Fix two issues:
+
+When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
+reference to the parent's objective credentials, then give that pointer
+to get_cred().  However, the object lifetime rules for things like
+struct cred do not permit unconditionally turning an RCU reference into
+a stable reference.
+
+PTRACE_TRACEME records the parent's credentials as if the parent was
+acting as the subject, but that's not the case.  If a malicious
+unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
+at a later point, the parent process becomes attacker-controlled
+(because it drops privileges and calls execve()), the attacker ends up
+with control over two processes with a privileged ptrace relationship,
+which can be abused to ptrace a suid binary and obtain root privileges.
+
+Fix both of these by always recording the credentials of the process
+that is requesting the creation of the ptrace relationship:
+current_cred() can't change under us, and current is the proper subject
+for access control.
+
+This change is theoretically userspace-visible, but I am not aware of
+any code that it will actually break.
+
+Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ kernel/ptrace.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 8456b6e2205f..705887f63288 100644
+--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
+@@ -79,9 +79,7 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent,
+  */
+ static void ptrace_link(struct task_struct *child, struct task_struct *new_parent)
+ {
+-	rcu_read_lock();
+-	__ptrace_link(child, new_parent, __task_cred(new_parent));
+-	rcu_read_unlock();
+	__ptrace_link(child, new_parent, current_cred());
+ }
+ 
+ /**
+-- 
+2.20.1
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -229,6 +229,7 @@ bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch
 bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch
 bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
 bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch
+bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch