From 95e2efd89c60e946ff81e44dc502c0f4d7816373 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Mon, 18 May 2026 05:40:22 +0000 Subject: [PATCH] Apply ssh-keysign-pwn fix (cherry picked from commit 1b378ac0765b0d699601c17562fa8683d235ff14) --- ...4-ptrace-require-cap-on-mm-less-task.patch | 55 +++++++++++++++++++ SPECS/raspberrypi2.spec | 4 ++ 2 files changed, 59 insertions(+) create mode 100644 SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch diff --git a/SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch b/SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch new file mode 100644 index 0000000..762151e --- /dev/null +++ b/SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch @@ -0,0 +1,55 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] ptrace: require CAP_SYS_PTRACE when task has no mm + +kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd +("ptrace: slightly saner 'get_dumpable()' logic") posted at +https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a + +The upstream fix adds a 'user_dumpable:1' bit to task_struct and +caches the last dumpability in exit_mm() so __ptrace_may_access() +can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel +threads or already-exited user tasks). That layout change to +task_struct breaks kABI on AlmaLinux 10 (the symtype +signature of struct task_struct is referenced by hundreds of +stablelist exports), so we cannot import the field/exit_mm hunks +as-is. + +Take the minimal kABI-safe slice instead: when task->mm == NULL, +require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes +the Qualys Security Advisory hole -- mm-less targets no longer pass +the dumpability check by default -- without touching task_struct or +exit.c. The only behavioural delta versus upstream is that a user +task that has already cleared its mm in exit_mm() (a dying/zombie +task) now also requires CAP_SYS_PTRACE to attach, instead of being +remembered as previously dumpable. Such targets are rarely ptraced +in practice. + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.56.1.el10_1. + +Reported-by: Qualys Security Advisory +Signed-off-by: Andrew Lukoshko +--- + kernel/ptrace.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -339,8 +339,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + smp_rmb(); + mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (mm) { ++ if ((get_dumpable(mm) != SUID_DUMP_USER) && ++ !ptrace_has_cap(mm->user_ns, mode)) ++ return -EPERM; ++ } else if (!ptrace_has_cap(&init_user_ns, mode)) { ++ return -EPERM; ++ } + + return security_ptrace_access_check(task, mode); +-- +2.43.0 diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index c68ce9a..bd98b32 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -60,6 +60,8 @@ Patch1101: 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch Patch1102: 1102-rxrpc-linearize-paged-frags.patch ## CVE-2026-46300: Fragnesia Patch1103: 1103-net-skbuff-propagate-shared-frag-marker.patch +## CVE-2026-46333: ssh-keysign-pwn +Patch1104: 1104-ptrace-require-cap-on-mm-less-task.patch BuildRequires: kmod, patch, bash, coreutils, tar BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk @@ -243,6 +245,7 @@ glibc package. %patch -P 1101 -p1 %patch -P 1102 -p1 %patch -P 1103 -p1 +%patch -P 1104 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -549,6 +552,7 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %changelog * Thu May 14 2026 Koichiro Iwao - 6.12.47-20250916.v8.6 - net: skbuff: propagate shared-frag marker through pskb_copy() {CVE-2026-46300} +- ptrace: require CAP_SYS_PTRACE when task has no mm {CVE-2026-46333} * Fri May 08 2026 Koichiro Iwao - 6.12.47-20250916.v8.5 - rxrpc: linearize incoming DATA packet when it has paged frags {CVE-2026-43500}