[Fedora 12/19] ptrace: Do not allow ptrace() from unsigned process to signed one

Vivek Goyal vgoyal at redhat.com
Thu Sep 5 01:21:31 UTC 2013 

On Wed, Sep 04, 2013 at 09:42:34PM +0000, Matthew Garrett wrote:
[ CC kexec fedora list ]

> On Wed, 2013-09-04 at 17:24 -0400, Vivek Goyal wrote:
> 
> Doesn't this:
> 
> > +		if (!ptraced_by_unsafe_tracer())
> > +			bprm->cred->proc_signed = true;
> 
> race with this if the attacker is able to run between the check and
> proc_signed being set to true?

I think this should not be a problem. task->signal->cred_guard_mutex
should provide mutual exclusion here.

ptrace_attach()
    mutex_lock_interruptible(&task->signal->cred_guard_mutex)

do_exeve_common()
 prepare_bprm_creds()
    	mutex_lock_interruptible(&current->signal->cred_guard_mutex);
 search_binary_handler()
    load_elf_binary()
        ptraced_by_unsafe_tracer();
    install_exec_creds()
        mutex_unlock(&current->signal->cred_guard_mutex);

So cred_guard_mutex is held while bprm is being prepared and till it is
installed. I think in that duration, no process can do a fresh
ptrace_attach().

Thanks
Vivek

More information about the kernel mailing list