diff --git a/debian/changelog b/debian/changelog index 379309ff4..4ae864a07 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ linux (4.19.37-6) UNRELEASED; urgency=medium * tcp: refine memory limit test in tcp_fragment() (Closes: #930904) + * ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272) -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 diff --git a/debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch b/debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch new file mode 100644 index 000000000..68f942e40 --- /dev/null +++ b/debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch @@ -0,0 +1,57 @@ +From: Jann Horn +Date: Thu, 4 Jul 2019 17:32:23 +0200 +Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME +Origin: https://git.kernel.org/linus/6994eefb0053799d2e07cd140df6c2ea106c41ee +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13272 + +Fix two issues: + +When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU +reference to the parent's objective credentials, then give that pointer +to get_cred(). However, the object lifetime rules for things like +struct cred do not permit unconditionally turning an RCU reference into +a stable reference. + +PTRACE_TRACEME records the parent's credentials as if the parent was +acting as the subject, but that's not the case. If a malicious +unprivileged child uses PTRACE_TRACEME and the parent is privileged, and +at a later point, the parent process becomes attacker-controlled +(because it drops privileges and calls execve()), the attacker ends up +with control over two processes with a privileged ptrace relationship, +which can be abused to ptrace a suid binary and obtain root privileges. + +Fix both of these by always recording the credentials of the process +that is requesting the creation of the ptrace relationship: +current_cred() can't change under us, and current is the proper subject +for access control. + +This change is theoretically userspace-visible, but I am not aware of +any code that it will actually break. + +Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") +Signed-off-by: Jann Horn +Acked-by: Oleg Nesterov +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +--- + kernel/ptrace.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 8456b6e2205f..705887f63288 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -79,9 +79,7 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent, + */ + static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) + { +- rcu_read_lock(); +- __ptrace_link(child, new_parent, __task_cred(new_parent)); +- rcu_read_unlock(); ++ __ptrace_link(child, new_parent, current_cred()); + } + + /** +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 7733ab58a..021d7eaa2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -228,6 +228,7 @@ bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch +bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch