From patchwork Sun Sep 18 15:05:14 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jann@thejh.net>
X-Patchwork-Id: 9337913
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	6F70A6089F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sun, 18 Sep 2016 15:05:46 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 61CDF28CDF
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sun, 18 Sep 2016 15:05:46 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5699228CED; Sun, 18 Sep 2016 15:05:46 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF00128CEB
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sun, 18 Sep 2016 15:05:45 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S936016AbcIRPFo (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Sun, 18 Sep 2016 11:05:44 -0400
Received: from thejh.net ([37.221.195.125]:46333 "EHLO thejh.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S936003AbcIRPFg (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Sun, 18 Sep 2016 11:05:36 -0400
Received: from pc.thejh.net (pc.vpn [192.168.44.2])
	by thejh.net (Postfix) with ESMTPSA id 3BEFF1826AD;
	Sun, 18 Sep 2016 17:05:34 +0200 (CEST)
From: Jann Horn <jann@thejh.net>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
	Roland McGrath <roland@hack.frob.com>, Oleg Nesterov <oleg@redhat.com>,
	John Johansen <john.johansen@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>, Paul Moore <aul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>, Eric Paris <eparis@parisplace.org>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Kees Cook <eescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Janis Danisevskis <jdanis@google.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	"Eric . Biederman" <ebiederm@xmission.com>,
	Thomas Gleixner <tglx@linutronix.de>, Benjamin LaHaise <bcrl@kvack.org>
Cc: linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, security@kernel.org
Subject: [PATCH 6/9] ptrace: warn on ptrace_may_access without proper locking
Date: Sun, 18 Sep 2016 17:05:14 +0200
Message-Id: <1474211117-16674-7-git-send-email-jann@thejh.net>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1474211117-16674-1-git-send-email-jann@thejh.net>
References: <1474211117-16674-1-git-send-email-jann@thejh.net>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

If neither of those locks is taken during a ptrace_may_access() call, that
is a strong indicator for a security bug where post-execve process
properties can be leaked by racing with execve().

Signed-off-by: Jann Horn <jann@thejh.net>
---
 kernel/ptrace.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index dc7594a..b311ca5 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -224,6 +224,9 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
 	kuid_t caller_uid;
 	kgid_t caller_gid;
 
+	WARN_ON(!mutex_is_locked(&task->signal->cred_guard_mutex) &&
+		!mutex_is_locked(&task->signal->cred_guard_light));
+
 	if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) {
 		WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n");
 		return -EPERM;