[PATCH 1/2][xenial] Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids"

Seth Forshee seth.forshee at canonical.com
Wed Nov 9 03:47:02 UTC 2016


This reverts commit a76b8ce7ad1f65a96638f161ff83075de04ec9cc to
apply a more complete fix from linux-next.

CVE-2016-8709
Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
---
 kernel/ptrace.c | 30 +++++-------------------------
 1 file changed, 5 insertions(+), 25 deletions(-)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 32462e624ae3..3189e51db7e8 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -207,32 +207,12 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
 	return ret;
 }
 
-static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
+static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
 {
-	struct user_namespace *tns = tcred->user_ns;
-	struct user_namespace *curns = current_cred()->user_ns;
-
-	/* When a root-owned process enters a user namespace created by a
-	 * malicious user, the user shouldn't be able to execute code under
-	 * uid 0 by attaching to the root-owned process via ptrace.
-	 * Therefore, similar to the capable_wrt_inode_uidgid() check,
-	 * verify that all the uids and gids of the target process are
-	 * mapped into the current namespace.
-	 * No fsuid/fsgid check because __ptrace_may_access doesn't do it
-	 * either.
-	 */
-	if (!kuid_has_mapping(curns, tcred->euid) ||
-			!kuid_has_mapping(curns, tcred->suid) ||
-			!kuid_has_mapping(curns, tcred->uid)  ||
-			!kgid_has_mapping(curns, tcred->egid) ||
-			!kgid_has_mapping(curns, tcred->sgid) ||
-			!kgid_has_mapping(curns, tcred->gid))
-		return false;
-
 	if (mode & PTRACE_MODE_NOAUDIT)
-		return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
+		return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
 	else
-		return has_ns_capability(current, tns, CAP_SYS_PTRACE);
+		return has_ns_capability(current, ns, CAP_SYS_PTRACE);
 }
 
 /* Returns 0 on success, -errno on denial. */
@@ -284,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 	    gid_eq(caller_gid, tcred->sgid) &&
 	    gid_eq(caller_gid, tcred->gid))
 		goto ok;
-	if (ptrace_has_cap(tcred, mode))
+	if (ptrace_has_cap(tcred->user_ns, mode))
 		goto ok;
 	rcu_read_unlock();
 	return -EPERM;
@@ -295,7 +275,7 @@ ok:
 		dumpable = get_dumpable(task->mm);
 	rcu_read_lock();
 	if (dumpable != SUID_DUMP_USER &&
-	    !ptrace_has_cap(__task_cred(task), mode)) {
+	    !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
 		rcu_read_unlock();
 		return -EPERM;
 	}
-- 
2.7.4





More information about the kernel-team mailing list