Bugzilla – Bug 1140671
VUL-0: CVE-2019-13272: kernel-source: Fix ->ptracer_cred handling for PTRACE_TRACEME
Last modified: 2020-08-04 06:36:34 UTC
From security@kernel.org: From: Jann Horn <jannh@google.com> Fix two issues: When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference to the parent's objective credentials, then give that pointer to get_cred(). However, the object lifetime rules for things like struct cred do not permit unconditionally turning an RCU reference into a stable reference. PTRACE_TRACEME records the parent's credentials as if the parent was acting as the subject, but that's not the case. If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship, which can be abused to ptrace a suid binary and obtain root privileges. Fix both of these by always recording the credentials of the process that is requesting the creation of the ptrace relationship: current_cred() can't change under us, and current is the proper subject for access control. This change is theoretically userspace-visible, but I am not aware of any code that it will actually break. Cc: stable@vger.kernel.org Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") Signed-off-by: Jann Horn <jannh@google.com> --- As usual, I'm not entirely sure which tree this should go through... Eric's or akpm's? kernel/ptrace.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 8456b6e2205f..705887f63288 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -79,9 +79,7 @@ void __ptrace_link(struct task_struct *child, struct task_struct *new_parent, */ static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) { - rcu_read_lock(); - __ptrace_link(child, new_parent, __task_cred(new_parent)); - rcu_read_unlock(); + __ptrace_link(child, new_parent, current_cred()); } Linus has pulled the fix into 5.2 as 6994eefb0053 ("ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME")
Fixes tag suggest 4.10+ (SLE15 based products). We do not seem to have 6994eefb0053 in SLE12-SP3 or older kernels.
seems in mainline git already: commit 6994eefb0053799d2e07cd140df6c2ea106c41ee Author: Jann Horn <jannh@google.com> Date: Thu Jul 4 17:32:23 2019 +0200 ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME Fix two issues: When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference to the parent's objective credentials, then give that pointer to get_cred(). However, the object lifetime rules for things like struct cred do not permit unconditionally turning an RCU reference into a stable reference. PTRACE_TRACEME records the parent's credentials as if the parent was acting as the subject, but that's not the case. If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship, which can be abused to ptrace a suid binary and obtain root privileges. Fix both of these by always recording the credentials of the process that is requesting the creation of the ptrace relationship: current_cred() can't change under us, and current is the proper subject for access control. This change is theoretically userspace-visible, but I am not aware of any code that it will actually break. Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Indeed, it's not in SLE12-SP3 (and probably not before). The issue looks serious. Should I backport it?
Hello, Are there further updates on integration of these corrections into the SLES15/OpenSuSE15 kernels? Thanks, Doug
(In reply to Douglas Jacobsen from comment #6) > Hello, > > Are there further updates on integration of these corrections into the > SLES15/OpenSuSE15 kernels? > > Thanks, > Doug Sorry for the delay, backporting that now. Thanks.
SUSE-SU-2019:2949-1: An update that solves 49 vulnerabilities and has 18 fixes is now available. Category: security (important) Bug References: 1051510,1084878,1117665,1131107,1133140,1135966,1135967,1136261,1137865,1139073,1140671,1141013,1141054,1142458,1143187,1144123,1144903,1145477,1146042,1146163,1146285,1146361,1146378,1146391,1146413,1146425,1146512,1146514,1146516,1146519,1146524,1146526,1146529,1146540,1146543,1146547,1146550,1146584,1146589,1147022,1147122,1148394,1148938,1149083,1149376,1149522,1149527,1149555,1149612,1150025,1150112,1150452,1150457,1150465,1150727,1150942,1151347,1151350,1152685,1152782,1152788,1153158,1153263,1154103,1154372,1155131,1155671 CVE References: CVE-2016-10906,CVE-2017-18379,CVE-2017-18509,CVE-2017-18551,CVE-2017-18595,CVE-2018-12207,CVE-2018-20976,CVE-2019-0154,CVE-2019-0155,CVE-2019-10220,CVE-2019-11135,CVE-2019-13272,CVE-2019-14814,CVE-2019-14815,CVE-2019-14816,CVE-2019-14821,CVE-2019-14835,CVE-2019-15098,CVE-2019-15211,CVE-2019-15212,CVE-2019-15214,CVE-2019-15215,CVE-2019-15216,CVE-2019-15217,CVE-2019-15218,CVE-2019-15219,CVE-2019-15220,CVE-2019-15221,CVE-2019-15239,CVE-2019-15290,CVE-2019-15291,CVE-2019-15505,CVE-2019-15666,CVE-2019-15807,CVE-2019-15902,CVE-2019-15924,CVE-2019-15926,CVE-2019-15927,CVE-2019-16232,CVE-2019-16233,CVE-2019-16234,CVE-2019-16413,CVE-2019-16995,CVE-2019-17055,CVE-2019-17056,CVE-2019-17133,CVE-2019-17666,CVE-2019-9456,CVE-2019-9506 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1 SUSE OpenStack Cloud 8 (src): kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1 SUSE Linux Enterprise High Availability 12-SP3 (src): kernel-default-4.4.180-94.107.1 SUSE Enterprise Storage 5 (src): kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1 SUSE CaaS Platform 3.0 (src): kernel-default-4.4.180-94.107.1 HPE Helion Openstack 8 (src): kernel-default-4.4.180-94.107.1, kernel-source-4.4.180-94.107.1, kernel-syms-4.4.180-94.107.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2984-1: An update that solves 49 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1068032,1084878,1092497,1106913,1117665,1135966,1135967,1137865,1139550,1140671,1141054,1144338,1144903,1145477,1146285,1146361,1146378,1146391,1146413,1146425,1146512,1146514,1146516,1146519,1146584,1147122,1148394,1148938,1149376,1149522,1149527,1149555,1149612,1149849,1150025,1150112,1150223,1150452,1150457,1150465,1150466,1151347,1151350,1152685,1152782,1152788,1153158,1154372,1155671,1155898,1156187 CVE References: CVE-2016-10906,CVE-2017-18509,CVE-2017-18595,CVE-2018-12207,CVE-2018-20976,CVE-2019-0154,CVE-2019-0155,CVE-2019-10220,CVE-2019-11135,CVE-2019-13272,CVE-2019-14814,CVE-2019-14815,CVE-2019-14816,CVE-2019-14821,CVE-2019-14835,CVE-2019-15098,CVE-2019-15211,CVE-2019-15212,CVE-2019-15214,CVE-2019-15215,CVE-2019-15216,CVE-2019-15217,CVE-2019-15218,CVE-2019-15219,CVE-2019-15220,CVE-2019-15221,CVE-2019-15290,CVE-2019-15291,CVE-2019-15505,CVE-2019-15666,CVE-2019-15807,CVE-2019-15902,CVE-2019-15924,CVE-2019-15926,CVE-2019-15927,CVE-2019-16231,CVE-2019-16232,CVE-2019-16233,CVE-2019-16234,CVE-2019-16413,CVE-2019-16995,CVE-2019-17055,CVE-2019-17056,CVE-2019-17133,CVE-2019-17666,CVE-2019-18680,CVE-2019-18805,CVE-2019-9456,CVE-2019-9506 Sources used: SUSE OpenStack Cloud 7 (src): kernel-default-4.4.121-92.125.1, kernel-source-4.4.121-92.125.1, kernel-syms-4.4.121-92.125.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): kernel-default-4.4.121-92.125.1, kernel-source-4.4.121-92.125.1, kernel-syms-4.4.121-92.125.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): kernel-default-4.4.121-92.125.1, kernel-source-4.4.121-92.125.1, kernel-syms-4.4.121-92.125.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): kernel-default-4.4.121-92.125.1, kernel-source-4.4.121-92.125.1, kernel-syms-4.4.121-92.125.1 SUSE Linux Enterprise High Availability 12-SP2 (src): kernel-default-4.4.121-92.125.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
The __ptrace_link() function in SLE-11-SP3/4 is not using the get_cred() function as described in comment 0. Therefore the code is not affected by this issue. Here's the patch that introduces this functionality: https://github.com/openSUSE/kernel/commit/c70d9d809fdeecedb96972457ee45c49a232d97f
For SLES 12 SP4 already released with git-fixes http://lists.suse.com/pipermail/sle-security-updates/2019-August/005786.html For SLES 12 SP5 already released with git-fixes in 12 SP5 GA. For SLES 15 GA fixed with git-fixes in http://lists.suse.com/pipermail/sle-security-updates/2019-August/005787.html For SLES 15 SP1 fixed with git-fixes in http://lists.suse.com/pipermail/sle-security-updates/2019-August/005791.html Frederic, can you perhaps attach references to our internal patch patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
So the 4.12 kernels were released in August 2019.
reelased