Andrew Lukoshko
08f074dc92
Apply on a9-beta the same four local patches that were carried on
the a9 branch until upstream landed them via the CKI Backport Bot
in 5.14.0-611.55.1.el9_7. Blobs imported verbatim from a9 history:
1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
CVE-2026-43284 -- el9 backport of upstream f4c50a4034e6.
1101-rxrpc-linearize-paged-frags.patch
CVE-2026-43500.
1102-net-skbuff-propagate-shared-frag-marker.patch
CVE-2026-46300 ("Fragnesia") -- v3 sibling to the xfrm/esp fix,
propagates SKBFL_SHARED_FRAG through __pskb_copy_fclone(),
skb_try_coalesce(), skb_shift(), skb_gro_receive() and
skb_gro_receive_list().
1103-ptrace-require-cap-on-mm-less-task.patch
CVE-2026-46333; kABI-safe replacement for upstream 31e62c2ebbfd
which would alter task_struct.
All four verified to apply with `patch -p1 -F0` against the
5.14.0-687.5.1.el9_8 source tree (offsets only, no fuzz, no
rejects). Release bumped 687.5.1 -> 687.5.3 with a single new
changelog stanza.
56 lines
2.2 KiB
Diff
56 lines
2.2 KiB
Diff
From: Andrew Lukoshko <alukoshko@almalinux.org>
|
|
Subject: [PATCH AlmaLinux 9] ptrace: require CAP_SYS_PTRACE when task has no mm
|
|
|
|
kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
|
|
("ptrace: slightly saner 'get_dumpable()' logic") posted at
|
|
https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
|
|
|
|
The upstream fix adds a 'user_dumpable:1' bit to task_struct and
|
|
caches the last dumpability in exit_mm() so __ptrace_may_access()
|
|
can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
|
|
threads or already-exited user tasks). That layout change to
|
|
task_struct breaks kABI on RHEL/AlmaLinux 9 (the symtype
|
|
signature of struct task_struct is referenced by stablelist exports
|
|
such as set_cpus_allowed_ptr() and wake_up_process()), so we cannot
|
|
import the field/exit_mm hunks as-is.
|
|
|
|
Take the minimal kABI-safe slice instead: when task->mm == NULL,
|
|
require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
|
|
the Qualys Security Advisory hole -- mm-less targets no longer pass
|
|
the dumpability check by default -- without touching task_struct or
|
|
exit.c. The only behavioural delta versus upstream is that a user
|
|
task that has already cleared its mm in exit_mm() (a dying/zombie
|
|
task) now also requires CAP_SYS_PTRACE to attach, instead of being
|
|
remembered as previously dumpable. Such targets are rarely ptraced
|
|
in practice.
|
|
|
|
Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
|
|
against kernel-5.14.0-611.54.1.el9_7.
|
|
|
|
Reported-by: Qualys Security Advisory <qsa@qualys.com>
|
|
Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
|
|
---
|
|
kernel/ptrace.c | 11 +++++++----
|
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
|
|
|
--- a/kernel/ptrace.c
|
|
+++ b/kernel/ptrace.c
|
|
@@ -349,8 +349,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
|
smp_rmb();
|
|
mm = task->mm;
|
|
- if (mm &&
|
|
- ((get_dumpable(mm) != SUID_DUMP_USER) &&
|
|
- !ptrace_has_cap(mm->user_ns, mode)))
|
|
- return -EPERM;
|
|
+ if (mm) {
|
|
+ if ((get_dumpable(mm) != SUID_DUMP_USER) &&
|
|
+ !ptrace_has_cap(mm->user_ns, mode))
|
|
+ return -EPERM;
|
|
+ } else if (!ptrace_has_cap(&init_user_ns, mode)) {
|
|
+ return -EPERM;
|
|
+ }
|
|
|
|
return security_ptrace_access_check(task, mode);
|
|
--
|
|
2.43.0
|