path: root/mm/process_vm_access.c
diff options
authorJann Horn <>2016-01-20 15:00:04 -0800
committerLinus Torvalds <>2016-01-20 17:09:18 -0800
commitcaaee6234d05a58c5b4d05e7bf766131b810a657 (patch)
tree6227530109dd91ab5447fbd2211f09bc636845a7 /mm/process_vm_access.c
parent3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 (diff)
ptrace: use fsuid, fsgid, effective creds for fs access checks
By checking the effective credentials instead of the real UID / permitted capabilities, ensure that the calling process actually intended to use its credentials. To ensure that all ptrace checks use the correct caller credentials (e.g. in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS flag), use two new flags and require one of them to be set. The problem was that when a privileged task had temporarily dropped its privileges, e.g. by calling setreuid(0, user_uid), with the intent to perform following syscalls with the credentials of a user, it still passed ptrace access checks that the user would not be able to pass. While an attacker should not be able to convince the privileged task to perform a ptrace() syscall, this is a problem because the ptrace access check is reused for things in procfs. In particular, the following somewhat interesting procfs entries only rely on ptrace access checks: /proc/$pid/stat - uses the check for determining whether pointers should be visible, useful for bypassing ASLR /proc/$pid/maps - also useful for bypassing ASLR /proc/$pid/cwd - useful for gaining access to restricted directories that contain files with lax permissions, e.g. in this scenario: lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar drwx------ root root /root drwxr-xr-x root root /root/foobar -rw-r--r-- root root /root/foobar/secret Therefore, on a system where a root-owned mode 6755 binary changes its effective credentials as described and then dumps a user-specified file, this could be used by an attacker to reveal the memory layout of root's processes or reveal the contents of files he is not allowed to access (through /proc/$pid/cwd). [ fix warning] Signed-off-by: Jann Horn <> Acked-by: Kees Cook <> Cc: Casey Schaufler <> Cc: Oleg Nesterov <> Cc: Ingo Molnar <> Cc: James Morris <> Cc: "Serge E. Hallyn" <> Cc: Andy Shevchenko <> Cc: Andy Lutomirski <> Cc: Al Viro <> Cc: "Eric W. Biederman" <> Cc: Willy Tarreau <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
Diffstat (limited to 'mm/process_vm_access.c')
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
index e88d071648c2..5d453e58ddbf 100644
--- a/mm/process_vm_access.c
+++ b/mm/process_vm_access.c
@@ -194,7 +194,7 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
goto free_proc_pages;
- mm = mm_access(task, PTRACE_MODE_ATTACH);
+ mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS);
if (!mm || IS_ERR(mm)) {
rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;