CRED: Guard the setprocattr security hook against ptrace
Guard the setprocattr security hook against ptrace by taking the target task's cred_guard_mutex around it. The problem is that setprocattr() may otherwise note the lack of a debugger, and then perform an action on that basis whilst letting a debugger attach between the two points. Holding cred_guard_mutex across the test and the action prevents ptrace_attach() from doing that. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>hifive-unleashed-5.1
parent
5e751e992f
commit
107db7c7dd
|
@ -2128,9 +2128,15 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
|
||||||
if (copy_from_user(page, buf, count))
|
if (copy_from_user(page, buf, count))
|
||||||
goto out_free;
|
goto out_free;
|
||||||
|
|
||||||
|
/* Guard against adverse ptrace interaction */
|
||||||
|
length = mutex_lock_interruptible(&task->cred_guard_mutex);
|
||||||
|
if (length < 0)
|
||||||
|
goto out_free;
|
||||||
|
|
||||||
length = security_setprocattr(task,
|
length = security_setprocattr(task,
|
||||||
(char*)file->f_path.dentry->d_name.name,
|
(char*)file->f_path.dentry->d_name.name,
|
||||||
(void*)page, count);
|
(void*)page, count);
|
||||||
|
mutex_unlock(&task->cred_guard_mutex);
|
||||||
out_free:
|
out_free:
|
||||||
free_page((unsigned long) page);
|
free_page((unsigned long) page);
|
||||||
out:
|
out:
|
||||||
|
|
Loading…
Reference in New Issue