Loading debian/changelog +7 −3 Original line number Diff line number Diff line Loading @@ -3,9 +3,6 @@ linux (4.19.37-6) UNRELEASED; urgency=medium [ John Paul Adrian Glaubitz ] * [sh4]: Check for kprobe trap number before trying to handle a kprobe trap [ Salvatore Bonaccorso ] * tcp: refine memory limit test in tcp_fragment() (Closes: #930904) [ Steve McIntyre ] * [arm64] Improve support for the Huawei TaiShan server platform (Closes: #930554): Loading @@ -16,6 +13,13 @@ linux (4.19.37-6) UNRELEASED; urgency=medium -- Salvatore Bonaccorso <carnil@debian.org> Sun, 23 Jun 2019 16:15:17 +0200 linux (4.19.37-5+deb10u1) buster-security; urgency=high * tcp: refine memory limit test in tcp_fragment() (Closes: #930904) * ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272) -- Salvatore Bonaccorso <carnil@debian.org> Fri, 19 Jul 2019 10:45:17 +0200 linux (4.19.37-5) unstable; urgency=medium [ Romain Perier ] Loading debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch 0 → 100644 +57 −0 Original line number Diff line number Diff line From: Jann Horn <jannh@google.com> Date: Thu, 4 Jul 2019 17:32:23 +0200 Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME Origin: https://git.kernel.org/linus/6994eefb0053799d2e07cd140df6c2ea106c41ee Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13272 Fix two issues: When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference to the parent's objective credentials, then give that pointer to get_cred(). However, the object lifetime rules for things like struct cred do not permit unconditionally turning an RCU reference into a stable reference. PTRACE_TRACEME records the parent's credentials as if the parent was acting as the subject, but that's not the case. If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship, which can be abused to ptrace a suid binary and obtain root privileges. Fix both of these by always recording the credentials of the process that is requesting the creation of the ptrace relationship: current_cred() can't change under us, and current is the proper subject for access control. This change is theoretically userspace-visible, but I am not aware of any code that it will actually break. Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> --- kernel/ptrace.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 8456b6e2205f..705887f63288 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -79,9 +79,7 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent, */ static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) { - rcu_read_lock(); - __ptrace_link(child, new_parent, __task_cred(new_parent)); - rcu_read_unlock(); + __ptrace_link(child, new_parent, current_cred()); } /** -- 2.20.1 debian/patches/series +1 −0 Original line number Diff line number Diff line Loading @@ -229,6 +229,7 @@ bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch Loading Loading
debian/changelog +7 −3 Original line number Diff line number Diff line Loading @@ -3,9 +3,6 @@ linux (4.19.37-6) UNRELEASED; urgency=medium [ John Paul Adrian Glaubitz ] * [sh4]: Check for kprobe trap number before trying to handle a kprobe trap [ Salvatore Bonaccorso ] * tcp: refine memory limit test in tcp_fragment() (Closes: #930904) [ Steve McIntyre ] * [arm64] Improve support for the Huawei TaiShan server platform (Closes: #930554): Loading @@ -16,6 +13,13 @@ linux (4.19.37-6) UNRELEASED; urgency=medium -- Salvatore Bonaccorso <carnil@debian.org> Sun, 23 Jun 2019 16:15:17 +0200 linux (4.19.37-5+deb10u1) buster-security; urgency=high * tcp: refine memory limit test in tcp_fragment() (Closes: #930904) * ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272) -- Salvatore Bonaccorso <carnil@debian.org> Fri, 19 Jul 2019 10:45:17 +0200 linux (4.19.37-5) unstable; urgency=medium [ Romain Perier ] Loading
debian/patches/bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch 0 → 100644 +57 −0 Original line number Diff line number Diff line From: Jann Horn <jannh@google.com> Date: Thu, 4 Jul 2019 17:32:23 +0200 Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME Origin: https://git.kernel.org/linus/6994eefb0053799d2e07cd140df6c2ea106c41ee Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13272 Fix two issues: When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference to the parent's objective credentials, then give that pointer to get_cred(). However, the object lifetime rules for things like struct cred do not permit unconditionally turning an RCU reference into a stable reference. PTRACE_TRACEME records the parent's credentials as if the parent was acting as the subject, but that's not the case. If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship, which can be abused to ptrace a suid binary and obtain root privileges. Fix both of these by always recording the credentials of the process that is requesting the creation of the ptrace relationship: current_cred() can't change under us, and current is the proper subject for access control. This change is theoretically userspace-visible, but I am not aware of any code that it will actually break. Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> --- kernel/ptrace.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 8456b6e2205f..705887f63288 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -79,9 +79,7 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent, */ static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) { - rcu_read_lock(); - __ptrace_link(child, new_parent, __task_cred(new_parent)); - rcu_read_unlock(); + __ptrace_link(child, new_parent, current_cred()); } /** -- 2.20.1
debian/patches/series +1 −0 Original line number Diff line number Diff line Loading @@ -229,6 +229,7 @@ bugfix/all/tcp-tcp_fragment-should-apply-sane-memory-limits.patch bugfix/all/tcp-add-tcp_min_snd_mss-sysctl.patch bugfix/all/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch bugfix/all/tcp-refine-memory-limit-test-in-tcp_fragment.patch bugfix/all/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch Loading
