Andrew Lukoshko
a9e982b77d
ptrace: kABI-safe replacement of get_dumpable() fix The previous 124.56.4 shipped the upstream patch 31e62c2ebbfd as-is, which adds an 'unsigned user_dumpable:1' bit to task_struct. That layout change broke kABI: the symtype signature of struct task_struct is referenced by hundreds of stablelist exports, all of which got flagged by check-kabi during build. Replace with a minimal kABI-safe slice that only touches kernel/ptrace.c: when task->mm == NULL, require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes the Qualys advisory hole without modifying task_struct or exit_mm(). The behavioural delta vs upstream is that an already-exited user task whose mm has been cleared now also requires CAP_SYS_PTRACE.
56 lines
2.1 KiB
Diff
56 lines
2.1 KiB
Diff
From: Andrew Lukoshko <alukoshko@almalinux.org>
|
|
Subject: [PATCH AlmaLinux 10] ptrace: require CAP_SYS_PTRACE when task has no mm
|
|
|
|
kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
|
|
("ptrace: slightly saner 'get_dumpable()' logic") posted at
|
|
https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
|
|
|
|
The upstream fix adds a 'user_dumpable:1' bit to task_struct and
|
|
caches the last dumpability in exit_mm() so __ptrace_may_access()
|
|
can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
|
|
threads or already-exited user tasks). That layout change to
|
|
task_struct breaks kABI on AlmaLinux 10 (the symtype
|
|
signature of struct task_struct is referenced by hundreds of
|
|
stablelist exports), so we cannot import the field/exit_mm hunks
|
|
as-is.
|
|
|
|
Take the minimal kABI-safe slice instead: when task->mm == NULL,
|
|
require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
|
|
the Qualys Security Advisory hole -- mm-less targets no longer pass
|
|
the dumpability check by default -- without touching task_struct or
|
|
exit.c. The only behavioural delta versus upstream is that a user
|
|
task that has already cleared its mm in exit_mm() (a dying/zombie
|
|
task) now also requires CAP_SYS_PTRACE to attach, instead of being
|
|
remembered as previously dumpable. Such targets are rarely ptraced
|
|
in practice.
|
|
|
|
Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
|
|
against kernel-6.12.0-124.56.1.el10_1.
|
|
|
|
Reported-by: Qualys Security Advisory <qsa@qualys.com>
|
|
Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
|
|
---
|
|
kernel/ptrace.c | 11 +++++++----
|
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
|
|
|
--- a/kernel/ptrace.c
|
|
+++ b/kernel/ptrace.c
|
|
@@ -339,8 +339,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
|
smp_rmb();
|
|
mm = task->mm;
|
|
- if (mm &&
|
|
- ((get_dumpable(mm) != SUID_DUMP_USER) &&
|
|
- !ptrace_has_cap(mm->user_ns, mode)))
|
|
- return -EPERM;
|
|
+ if (mm) {
|
|
+ if ((get_dumpable(mm) != SUID_DUMP_USER) &&
|
|
+ !ptrace_has_cap(mm->user_ns, mode))
|
|
+ return -EPERM;
|
|
+ } else if (!ptrace_has_cap(&init_user_ns, mode)) {
|
|
+ return -EPERM;
|
|
+ }
|
|
|
|
return security_ptrace_access_check(task, mode);
|
|
--
|
|
2.43.0
|