Bug 1140671 (CVE-2019-13272) - VUL-0: CVE-2019-13272: kernel-source: Fix ->ptracer_cred handling for PTRACE_TRACEME
Summary: VUL-0: CVE-2019-13272: kernel-source: Fix ->ptracer_cred handling for PTRACE_...
Status: RESOLVED FIXED
Alias: CVE-2019-13272
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Frederic Weisbecker
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/236640/
Whiteboard: CVSSv3:SUSE:CVE-2019-13272:7.4:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-08 09:48 UTC by Michal Hocko
Modified: 2020-08-04 06:36 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michal Hocko 2019-07-08 09:48:20 UTC
From security@kernel.org:
From: Jann Horn <jannh@google.com>
Fix two issues:

When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference
to the parent's objective credentials, then give that pointer to
get_cred(). However, the object lifetime rules for things like struct cred
do not permit unconditionally turning an RCU reference into a stable
reference.

PTRACE_TRACEME records the parent's credentials as if the parent was acting
as the subject, but that's not the case. If a malicious unprivileged child
uses PTRACE_TRACEME and the parent is privileged, and at a later point, the
parent process becomes attacker-controlled (because it drops privileges and
calls execve()), the attacker ends up with control over two processes with
a privileged ptrace relationship, which can be abused to ptrace a suid
binary and obtain root privileges.

Fix both of these by always recording the credentials of the process that
is requesting the creation of the ptrace relationship: current_cred() can't
change under us, and current is the proper subject for access control.

This change is theoretically userspace-visible, but I am not aware of any
code that it will actually break.

Cc: stable@vger.kernel.org
Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
Signed-off-by: Jann Horn <jannh@google.com>
---
As usual, I'm not entirely sure which tree this should go through... Eric's
or akpm's?

 kernel/ptrace.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 8456b6e2205f..705887f63288 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -79,9 +79,7 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent,
  */
 static void ptrace_link(struct task_struct *child, struct task_struct *new_parent)
 {
-       rcu_read_lock();
-       __ptrace_link(child, new_parent, __task_cred(new_parent));
-       rcu_read_unlock();
+       __ptrace_link(child, new_parent, current_cred());
 }

Linus has pulled the fix into 5.2 as 6994eefb0053 ("ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME")
Comment 1 Michal Hocko 2019-07-08 09:51:27 UTC
Fixes tag suggest 4.10+ (SLE15 based products). We do not seem to have 6994eefb0053 in SLE12-SP3 or older kernels.
Comment 3 Marcus Meissner 2019-07-08 11:46:39 UTC
seems in mainline git already:

commit 6994eefb0053799d2e07cd140df6c2ea106c41ee
Author: Jann Horn <jannh@google.com>
Date:   Thu Jul 4 17:32:23 2019 +0200

    ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
    
    Fix two issues:
    
    When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
    reference to the parent's objective credentials, then give that pointer
    to get_cred().  However, the object lifetime rules for things like
    struct cred do not permit unconditionally turning an RCU reference into
    a stable reference.
    
    PTRACE_TRACEME records the parent's credentials as if the parent was
    acting as the subject, but that's not the case.  If a malicious
    unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
    at a later point, the parent process becomes attacker-controlled
    (because it drops privileges and calls execve()), the attacker ends up
    with control over two processes with a privileged ptrace relationship,
    which can be abused to ptrace a suid binary and obtain root privileges.
    
    Fix both of these by always recording the credentials of the process
    that is requesting the creation of the ptrace relationship:
    current_cred() can't change under us, and current is the proper subject
    for access control.
    
    This change is theoretically userspace-visible, but I am not aware of
    any code that it will actually break.
    
    Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Comment 4 Frederic Weisbecker 2019-07-17 00:51:35 UTC
Indeed, it's not in SLE12-SP3 (and probably not before). The issue looks serious. Should I backport it?
Comment 6 Douglas Jacobsen 2019-09-25 11:43:25 UTC
Hello,

Are there further updates on integration of these corrections into the SLES15/OpenSuSE15 kernels?

Thanks,
Doug
Comment 7 Frederic Weisbecker 2019-09-27 13:06:30 UTC
(In reply to Douglas Jacobsen from comment #6)
> Hello,
> 
> Are there further updates on integration of these corrections into the
> SLES15/OpenSuSE15 kernels?
> 
> Thanks,
> Doug

Sorry for the delay, backporting that now.

Thanks.
Comment 13 Swamp Workflow Management 2019-11-12 23:20:29 UTC
SUSE-SU-2019:2949-1: An update that solves 49 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1051510,1084878,1117665,1131107,1133140,1135966,1135967,1136261,1137865,1139073,1140671,1141013,1141054,1142458,1143187,1144123,1144903,1145477,1146042,1146163,1146285,1146361,1146378,1146391,1146413,1146425,1146512,1146514,1146516,1146519,1146524,1146526,1146529,1146540,1146543,1146547,1146550,1146584,1146589,1147022,1147122,1148394,1148938,1149083,1149376,1149522,1149527,1149555,1149612,1150025,1150112,1150452,1150457,1150465,1150727,1150942,1151347,1151350,1152685,1152782,1152788,1153158,1153263,1154103,1154372,1155131,1155671
CVE References: CVE-2016-10906,CVE-2017-18379,CVE-2017-18509,CVE-2017-18551,CVE-2017-18595,CVE-2018-12207,CVE-2018-20976,CVE-2019-0154,CVE-2019-0155,CVE-2019-10220,CVE-2019-11135,CVE-2019-13272,CVE-2019-14814,CVE-2019-14815,CVE-2019-14816,CVE-2019-14821,CVE-2019-14835,CVE-2019-15098,CVE-2019-15211,CVE-2019-15212,CVE-2019-15214,CVE-2019-15215,CVE-2019-15216,CVE-2019-15217,CVE-2019-15218,CVE-2019-15219,CVE-2019-15220,CVE-2019-15221,CVE-2019-15239,CVE-2019-15290,CVE-2019-15291,CVE-2019-15505,CVE-2019-15666,CVE-2019-15807,CVE-2019-15902,CVE-2019-15924,CVE-2019-15926,CVE-2019-15927,CVE-2019-16232,CVE-2019-16233,CVE-2019-16234,CVE-2019-16413,CVE-2019-16995,CVE-2019-17055,CVE-2019-17056,CVE-2019-17133,CVE-2019-17666,CVE-2019-9456,CVE-2019-9506
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1
SUSE OpenStack Cloud 8 (src):    kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.180-94.107.1
SUSE Enterprise Storage 5 (src):    kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1
SUSE CaaS Platform 3.0 (src):    kernel-default-4.4.180-94.107.1
HPE Helion Openstack 8 (src):    kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-11-15 14:14:19 UTC
SUSE-SU-2019:2984-1: An update that solves 49 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1068032,1084878,1092497,1106913,1117665,1135966,1135967,1137865,1139550,1140671,1141054,1144338,1144903,1145477,1146285,1146361,1146378,1146391,1146413,1146425,1146512,1146514,1146516,1146519,1146584,1147122,1148394,1148938,1149376,1149522,1149527,1149555,1149612,1149849,1150025,1150112,1150223,1150452,1150457,1150465,1150466,1151347,1151350,1152685,1152782,1152788,1153158,1154372,1155671,1155898,1156187
CVE References: CVE-2016-10906,CVE-2017-18509,CVE-2017-18595,CVE-2018-12207,CVE-2018-20976,CVE-2019-0154,CVE-2019-0155,CVE-2019-10220,CVE-2019-11135,CVE-2019-13272,CVE-2019-14814,CVE-2019-14815,CVE-2019-14816,CVE-2019-14821,CVE-2019-14835,CVE-2019-15098,CVE-2019-15211,CVE-2019-15212,CVE-2019-15214,CVE-2019-15215,CVE-2019-15216,CVE-2019-15217,CVE-2019-15218,CVE-2019-15219,CVE-2019-15220,CVE-2019-15221,CVE-2019-15290,CVE-2019-15291,CVE-2019-15505,CVE-2019-15666,CVE-2019-15807,CVE-2019-15902,CVE-2019-15924,CVE-2019-15926,CVE-2019-15927,CVE-2019-16231,CVE-2019-16232,CVE-2019-16233,CVE-2019-16234,CVE-2019-16413,CVE-2019-16995,CVE-2019-17055,CVE-2019-17056,CVE-2019-17133,CVE-2019-17666,CVE-2019-18680,CVE-2019-18805,CVE-2019-9456,CVE-2019-9506
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.125.1, kernel-source-4.4.121-92.125.1, kernel-syms-4.4.121-92.125.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.125.1, kernel-source-4.4.121-92.125.1, kernel-syms-4.4.121-92.125.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.125.1, kernel-source-4.4.121-92.125.1, kernel-syms-4.4.121-92.125.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.125.1, kernel-source-4.4.121-92.125.1, kernel-syms-4.4.121-92.125.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.121-92.125.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Alexander Bergmann 2019-11-21 15:17:51 UTC
The __ptrace_link() function in SLE-11-SP3/4 is not using the get_cred() function as described in comment 0. Therefore the code is not affected by this issue.

Here's the patch that introduces this functionality:
https://github.com/openSUSE/kernel/commit/c70d9d809fdeecedb96972457ee45c49a232d97f
Comment 17 Marcus Meissner 2020-06-15 15:27:54 UTC
For SLES 12 SP4 already released with git-fixes

   http://lists.suse.com/pipermail/sle-security-updates/2019-August/005786.html

For SLES 12 SP5 already released with git-fixes in 12 SP5 GA.

For SLES 15 GA fixed with git-fixes in 
http://lists.suse.com/pipermail/sle-security-updates/2019-August/005787.html

For SLES 15 SP1 fixed with git-fixes in 

http://lists.suse.com/pipermail/sle-security-updates/2019-August/005791.html

Frederic, can you perhaps attach references to our internal patch
patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
Comment 18 Marcus Meissner 2020-06-15 15:41:14 UTC
So the 4.12 kernels were released in August 2019.
Comment 19 Marcus Meissner 2020-08-04 06:36:34 UTC
reelased