From nobody Mon May 25 05:13:50 2026 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7325481FB6 for ; Mon, 18 May 2026 16:35:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779122131; cv=none; b=R4nx11biXjzN6xEwBP+mkGeOh34UFRPSjutDYqT+ECLv5GEiZjuoPeP+c+nkZ29wLa/724Wx22ukebL7kebbBiX/IA5pN7GM32nQATd7ZzTghJSoiwvUizY5+U+YzQoER4AQm0g+fyoIizvzxG6qhZuKZCYqzwKw43IR5fsFkNc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779122131; c=relaxed/simple; bh=djRGGOfNBbozjPnt/kQUnWI/N0nUnUMisT2sVceci6g=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ZWA6xoU3tSvgYrvSLmC+LWY1Bl5x4IuVw3bNQ2IDODmNXBH0q5QyGCwDIQqmC9xZBwyHc4RgWoFAGMBsqr9A9GgWKNu45pzXQ7O2FYLeki0LQ6IgEdClIR6CFCeV68g/q6yRfzeIzET0qyKA3C42oUuPHtRjYmjAhlVvaFqGbTY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=tSS/vC2D; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="tSS/vC2D" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4891ca4ce02so1685e9.1 for ; Mon, 18 May 2026 09:35:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779122127; x=1779726927; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=GM6eeee61f70ct0y/r5ABG7xt/dD+OPujWKV47jCuiw=; b=tSS/vC2DIW/yg5OPWACD4lnLLjFciL98hQ4rs19gGcnxsX6gOcoLbvYpeEKzvXioG5 ZD7V0nt7UsBf3YkeTgTXulGhs2gDtmlibXZKhce2Unrc1DhQ/vJ9EOOSESAQAUE2gbri yTl+MvcVJ8teIcdQZpqgVG/Z+A/qJ/q5L1cOHCjTEHCnUjKUbqczIVI7izuf+89lSYM8 xHkIkQoYs3I2jlvFwpoaJZlFCn/WwJKx3IlPSlAu+UAs0MHgPIYCY3dgk9FPrlTEHw2K nhXIO+jEu9sW1LBRwwLcG5DfZNQ2agk2ns3L9C0YN0dnPT4XskWe+KV61qyhMv5ZDsRq x7kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779122127; x=1779726927; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=GM6eeee61f70ct0y/r5ABG7xt/dD+OPujWKV47jCuiw=; b=hR3BiCPUx/S6kmI/O5+U8lKMW4zJPj6DOqRUvrgFs3VYZorPH5Q6SJYf1peayqvan3 C/2cY855alFG6DkY//TDYvEgEzgs2LfxnV91s13gihvix9n7XA841Bekvu7lQy8RwATa ttpkze/ZsQf1htoGCe6apa+lTDdf9tDT8ZitsCE/lzofohbByOcaHvPUPlQnWTtaIvT6 JVMiZhyv8OSK25a2dqm5XwJWkpA+qw74H4RCV0jR8NyyHMW/fLkqAcp+ns8hHHO2UIPL 1EYMJagykxeKnxF2uXPPFkd3mKvaP+DW9kj2Vr6aRnw35f36vuCjVlUkTWeEUZhL8Tjo GsAQ== X-Forwarded-Encrypted: i=1; AFNElJ8mV03cRjAZKEHeynOokFuRPxuYSuaYjvKaAEQ5gY1UU71eQ1e17ChGjQj63GWuDKa5rWMt0xilLk2NAPg=@vger.kernel.org X-Gm-Message-State: AOJu0Yzrv0vDT7EpEx6S9/j6di4z2n1UMXUGwtV3O+W4KzLMjraUvdpT LjA7aR7wJme8sAIibIHiPL1Z/DX+3sRzcUf8EXNPv+fr0GN2aa2wdSSZv3zyWObE9A== X-Gm-Gg: Acq92OFcr2MspVOUdwzo2ZFU3HJVsqmbLbkEui7qnrJUDpYJ/WHIEXnIqtiEjFAjcqi RkA62P5em5rDnoqvwKqyRVY3vbJ35jtMk0/V8wKI5vOnQY7tOwiXRhd2jEUY/i/du3S6SDe4gcY Zn65CU1SBVzgY4w7mqhXadY7OdkMsUh3KeDdyOFhczn4S07aVBchT5qQMXWL2gD8ohbxG5ky3JZ 5XSYAbVT1JpBAAUVahMrm3oAg7/Pz4YuKiy81rF3ioI7MiYXNGzvqmY4K6eoXDqCtTrT0sU37Tz 6NcNgZkn2C7ZOKX+sBjN9dlvHhiQLCF7nwwtXNj40Xu5ENVrx83mKvM8qhiV5lqIuKm5SwPg2JE nVf3ZNGDPDtkAENTynf46vPScOmWc/pVnRdJdVaRH9TrzqlJUkYlonpCIkO5+L3d0fdziSX2X/v mqxuLs6QvB4RNplIhMKf0PhCOIIx3X8Ppl5T+Fm2OPSnvpWnhOjvyTmujkH91J X-Received: by 2002:a7b:cc8b:0:b0:48f:de33:777a with SMTP id 5b1f17b1804b1-48ffd857abfmr2248535e9.11.1779122126285; Mon, 18 May 2026 09:35:26 -0700 (PDT) Received: from localhost ([2a00:79e0:288a:8:866a:e549:273b:bc0]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45d9ec3acf7sm38427000f8f.12.2026.05.18.09.35.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 09:35:25 -0700 (PDT) From: Jann Horn Date: Mon, 18 May 2026 18:35:15 +0200 Subject: [PATCH 1/2] proc: protect ptrace_may_access() with exec_update_lock (part 1) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260518-procfs-lockfix-part1-v1-1-5c3d20e0ac33@google.com> References: <20260518-procfs-lockfix-part1-v1-0-5c3d20e0ac33@google.com> In-Reply-To: <20260518-procfs-lockfix-part1-v1-0-5c3d20e0ac33@google.com> To: Alexander Viro , Christian Brauner Cc: Jan Kara , Arjan van de Ven , "Eric W. Biederman" , Jake Edge , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Jann Horn , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1779122120; l=5553; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=djRGGOfNBbozjPnt/kQUnWI/N0nUnUMisT2sVceci6g=; b=bO91HUMzG4P0W1Yx2ORHO+hPa3YyNmBXkVORAsg8OmR5uNHV92gGhL0bfoVSeWZ9al1W5U9z2 ltoGAmawz8gBzEJuWVGfPrqVR0sRvKboxFfgbs829qqeXF5kjImB5df X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= Fix the easy cases where procfs currently calls ptrace_may_access() without exec_update_lock protection, where the fix is to simply add the extra lock or use mm_access(): - do_task_stat(): grab exec_update_lock - proc_pid_wchan(): grab exec_update_lock - proc_map_files_lookup(): use mm_access() instead of get_task_mm() - proc_map_files_readdir(): use mm_access() instead of get_task_mm() - proc_ns_get_link(): grab exec_update_lock - proc_ns_readlink(): grab exec_update_lock Fixes: f83ce3e6b02d ("proc: avoid information leaks to non-privileged proce= sses") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn --- fs/proc/array.c | 6 ++++++ fs/proc/base.c | 40 ++++++++++++++++++++-------------------- fs/proc/namespaces.c | 12 ++++++++++++ 3 files changed, 38 insertions(+), 20 deletions(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index 90fb0c6b5f99..479ea8cb4ef4 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -482,6 +482,11 @@ static int do_task_stat(struct seq_file *m, struct pid= _namespace *ns, unsigned long flags; int exit_code =3D task->exit_code; struct signal_struct *sig =3D task->signal; + int ret; + + ret =3D down_read_killable(&task->signal->exec_update_lock); + if (ret) + return ret; =20 state =3D *get_task_state(task); vsize =3D eip =3D esp =3D 0; @@ -657,6 +662,7 @@ static int do_task_stat(struct seq_file *m, struct pid_= namespace *ns, seq_puts(m, " 0"); =20 seq_putc(m, '\n'); + up_read(&task->signal->exec_update_lock); if (mm) mmput(mm); return 0; diff --git a/fs/proc/base.c b/fs/proc/base.c index d9acfa89c894..09b02d1621e5 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -423,18 +423,24 @@ static int proc_pid_wchan(struct seq_file *m, struct = pid_namespace *ns, { unsigned long wchan; char symname[KSYM_NAME_LEN]; + int err; =20 + err =3D down_read_killable(&task->signal->exec_update_lock); + if (err) + return err; if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) goto print0; =20 wchan =3D get_wchan(task); if (wchan && !lookup_symbol_name(wchan, symname)) { seq_puts(m, symname); + up_read(&task->signal->exec_update_lock); return 0; } =20 print0: seq_putc(m, '0'); + up_read(&task->signal->exec_update_lock); return 0; } #endif /* CONFIG_KALLSYMS */ @@ -2360,17 +2366,15 @@ static struct dentry *proc_map_files_lookup(struct = inode *dir, if (!task) goto out; =20 - result =3D ERR_PTR(-EACCES); - if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) - goto out_put_task; - result =3D ERR_PTR(-ENOENT); if (dname_to_vma_addr(dentry, &vm_start, &vm_end)) goto out_put_task; =20 - mm =3D get_task_mm(task); - if (!mm) + mm =3D mm_access(task, PTRACE_MODE_READ_FSCREDS); + if (IS_ERR(mm)) { + result =3D ERR_CAST(mm); goto out_put_task; + } =20 result =3D ERR_PTR(-EINTR); if (mmap_read_lock_killable(mm)) @@ -2420,23 +2424,19 @@ proc_map_files_readdir(struct file *file, struct di= r_context *ctx) if (!task) goto out; =20 - ret =3D -EACCES; - if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) + mm =3D mm_access(task, PTRACE_MODE_READ_FSCREDS); + if (IS_ERR(mm)) { + ret =3D PTR_ERR(mm); goto out_put_task; + } =20 ret =3D 0; if (!dir_emit_dots(file, ctx)) - goto out_put_task; - - mm =3D get_task_mm(task); - if (!mm) - goto out_put_task; + goto out_put_mm; =20 ret =3D mmap_read_lock_killable(mm); - if (ret) { - mmput(mm); - goto out_put_task; - } + if (ret) + goto out_put_mm; =20 nr_files =3D 0; =20 @@ -2462,8 +2462,7 @@ proc_map_files_readdir(struct file *file, struct dir_= context *ctx) if (!p) { ret =3D -ENOMEM; mmap_read_unlock(mm); - mmput(mm); - goto out_put_task; + goto out_put_mm; } =20 p->start =3D vma->vm_start; @@ -2471,7 +2470,6 @@ proc_map_files_readdir(struct file *file, struct dir_= context *ctx) p->mode =3D vma->vm_file->f_mode; } mmap_read_unlock(mm); - mmput(mm); =20 for (i =3D 0; i < nr_files; i++) { char buf[4 * sizeof(long) + 2]; /* max: %lx-%lx\0 */ @@ -2488,6 +2486,8 @@ proc_map_files_readdir(struct file *file, struct dir_= context *ctx) ctx->pos++; } =20 +out_put_mm: + mmput(mm); out_put_task: put_task_struct(task); out: diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index 39f4169f669f..2f46f1396744 100644 --- a/fs/proc/namespaces.c +++ b/fs/proc/namespaces.c @@ -55,6 +55,10 @@ static const char *proc_ns_get_link(struct dentry *dentr= y, if (!task) return ERR_PTR(-EACCES); =20 + error =3D down_read_killable(&task->signal->exec_update_lock); + if (error) + goto out_put_task; + if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) goto out; =20 @@ -64,6 +68,8 @@ static const char *proc_ns_get_link(struct dentry *dentry, =20 error =3D nd_jump_link(&ns_path); out: + up_read(&task->signal->exec_update_lock); +out_put_task: put_task_struct(task); return ERR_PTR(error); } @@ -80,11 +86,17 @@ static int proc_ns_readlink(struct dentry *dentry, char= __user *buffer, int bufl if (!task) return res; =20 + res =3D down_read_killable(&task->signal->exec_update_lock); + if (res) + goto out_put_task; + if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { res =3D ns_get_name(name, sizeof(name), task, ns_ops); if (res >=3D 0) res =3D readlink_copy(buffer, buflen, name, strlen(name)); } + up_read(&task->signal->exec_update_lock); +out_put_task: put_task_struct(task); return res; } --=20 2.54.0.563.g4f69b47b94-goog From nobody Mon May 25 05:13:50 2026 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F39BC48AE06 for ; Mon, 18 May 2026 16:35:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779122132; cv=none; b=pT8XJ3t6TO81i/FInkiTtKSm39zDOf2TKTTCc7oMX8JXWjtmipPXHDnfwKRubqKXcdiMxSsnIGPAdcjGv5oBw6W6CbissRVyNn1vwojqoCPYqb4uey2WGBaZfT5gh/J+lyALFtfiK0NT6QcXvOHDAeRLsWaY3pQtdNzKv/5FpUk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779122132; c=relaxed/simple; bh=J6vYP+pwxqJtl3IXGpjK6NcN9iylazyz59URcLbnfuQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=gR+tdX4DZEfuJ56iu6HnNXIJ5ZSso8fNXUE84OhKRD4HPAt1ihr2NKonf7uc40lnBms6VrKpdml9m8rWM37UdC40xC4KlBB7vQ0XcyyMsDn+3CswTo6+vK7hKkz4dZD3mPEtuYSut+w+uPpXoTOHd+YSwePiGoiYq781pxOsJJE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ukhi34VE; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ukhi34VE" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-48d1c670255so405e9.0 for ; Mon, 18 May 2026 09:35:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779122128; x=1779726928; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=9JIolJGgKb991CwNklVUCVvleyM5JMSNh06xqnYIkkE=; b=ukhi34VE7hisDw8lB9rjG8v4kOMjx9/9N+vbJOg9cN2rdFS4tLh3yx3DwwwrTB1+bn QyOHu0q7mDWGdRK3CGDh4oT5idAc6UoeD2P1+k9ODKsRWSTapIlF5qHx/qjiQ0RMkJVf 2afRtWw4YpBCeq/fAyq4DVWK8yU9UVo9KfXKHRKFI3H8d5thqlBDJxFl4n4uS4k1C9IV etxsoRGc/6kve1d9hFgV4YtIhtmwFzp15rhFRyaKSnFyGQbWMbuBaakohMlKOGkxuAnK mPZI7s5bUYm6GUOVvdXO1H7hVOVa/cJB5c8z4GsvUmiFRhzg1FICol5EZj3BqC+vB4zm AExg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779122128; x=1779726928; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9JIolJGgKb991CwNklVUCVvleyM5JMSNh06xqnYIkkE=; b=IbSErDjwjkXHnTfKu0mWDE4CBKWcA1JCXcBge7o9VLYYdlF6VFa/9FHYNto68+HtI1 4C4fP+xOIrGQePhmnBjf7CJW7UqmsHXWu5SkOyc7Tn0Wxw/MBr4E9/BdfKOt2SSxcBqo Uc9YBJoAuVXbhUJeg1NBAyvr/FISNvIwF7X8LefhDZyBLpQoo+GPEUAvPkdyKRnW2pqE jdAJYY/uUv47qIYQ2G9gO+dySo19VSQKMTGgJc8YncByHsxECuF9YIyD1zDfoHy1RrI8 EugU/lJ1uoCzXIONpJv8y/xqLgrChvpbmK/g1GatPqt/xTmrjs3b5y1dWHNKHYAbDMDy eX0w== X-Forwarded-Encrypted: i=1; AFNElJ/AJ0wfB5/4ZdWcJyI4HMz9TF9F54PRcHGe9PRCV1eiXGSfM56fJ7rIBDOz0KlF6/5uFiL9IqolK6j+s9E=@vger.kernel.org X-Gm-Message-State: AOJu0Yw9L1GDppF2ENZ4Trf8TXWkMWufeKZ8go+xm1Sp6fbpwwK7Ak6r 2NzZrz/BUt2eOn47lEMt7kRsbqZBwbb4NqRlwrkIiU7fXDj9OD8BdyDICwJCfwA1mQ== X-Gm-Gg: Acq92OETM3jIfHXt3W2AoTZ9jnNAUJeqT8SncAJ2kFW3C+/Rip/npGudc4OjgcbU8hn 4G8Z8DnzJhFAOs8Ax8LjY4lnOhe9/1hYogG5zeIJPSmrrWVJzydEJRLm0uMG8/cYse35rnZNYiw OJKQhS2gHwa+b4C6mFl7qi52a39clWLDADyzDf5e2EKDN5OtPp0viNCMIaxgWvON1wyFFXj0hzq nBJ8dWzeHsup69Md0MzLuJA/4H5iFmlEHxapghRU7gsMzBMeG4jKZ1qqLY4nQfXVMgSz8zTILCf cr7GjcfOHfIFCeg8O0xmJaDXoGj+souiY/1rqmRyiyVJmhnxbYH59AxNaSGFXek0ZRP5vHQ5G/J a98SExeReOBFRFGR3YBSfPLSuXZmmZubP1Y6gYV/KUeyc0SfMHCgGqgPGJJMC6UIV4XkiRKFgTF 7vKCdSBvQf0VTEhG3RKboCkjQ97yO8jlivAQyh04NJQJMY5BCCbqNM1napb5bO X-Received: by 2002:a05:600c:6986:b0:485:2ab4:c1f9 with SMTP id 5b1f17b1804b1-48ffa5a381fmr2897155e9.4.1779122127357; Mon, 18 May 2026 09:35:27 -0700 (PDT) Received: from localhost ([2a00:79e0:288a:8:866a:e549:273b:bc0]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45da0a1aeafsm40394849f8f.23.2026.05.18.09.35.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 09:35:26 -0700 (PDT) From: Jann Horn Date: Mon, 18 May 2026 18:35:16 +0200 Subject: [PATCH 2/2] proc: protect ptrace_may_access() with exec_update_lock (FD links) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260518-procfs-lockfix-part1-v1-2-5c3d20e0ac33@google.com> References: <20260518-procfs-lockfix-part1-v1-0-5c3d20e0ac33@google.com> In-Reply-To: <20260518-procfs-lockfix-part1-v1-0-5c3d20e0ac33@google.com> To: Alexander Viro , Christian Brauner Cc: Jan Kara , Arjan van de Ven , "Eric W. Biederman" , Jake Edge , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Jann Horn , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1779122120; l=7748; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=J6vYP+pwxqJtl3IXGpjK6NcN9iylazyz59URcLbnfuQ=; b=VGuWqwO60b4SF4T9W/cDNEZOqXEC7aVVevIZX9SsSb7uy7X+b/lA73E07zjsjHEDTj1bkJKC4 Sr5mX0rxXNWBNf5FqcB4mV1qb5KBWiQZz4gXJvCc1GPzB4bRclzXhJN X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= proc_pid_get_link() and proc_pid_readlink() currently look up the task from the pid once, then do the ptrace access check on that task, then look up the task from the pid a second time to do the actual access. That's racy in several ways. To fix it, pass the task to the ->proc_get_link() handler, and instead of proc_fd_access_allowed(), introduce a new helper call_proc_get_link() that looks up and locks the task, does the access check, and calls ->proc_get_link(). Fixes: 778c1144771f ("[PATCH] proc: Use sane permission checks on the /proc= //fd/ symlinks") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn --- fs/proc/base.c | 119 +++++++++++++++++++++----------------------------= ---- fs/proc/fd.c | 27 +++++------- fs/proc/internal.h | 2 +- 3 files changed, 59 insertions(+), 89 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 09b02d1621e5..ef2f59461374 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -218,33 +218,24 @@ static int get_task_root(struct task_struct *task, st= ruct path *root) return result; } =20 -static int proc_cwd_link(struct dentry *dentry, struct path *path) +static int proc_cwd_link(struct dentry *dentry, struct path *path, + struct task_struct *task) { - struct task_struct *task =3D get_proc_task(d_inode(dentry)); int result =3D -ENOENT; =20 - if (task) { - task_lock(task); - if (task->fs) { - get_fs_pwd(task->fs, path); - result =3D 0; - } - task_unlock(task); - put_task_struct(task); + task_lock(task); + if (task->fs) { + get_fs_pwd(task->fs, path); + result =3D 0; } + task_unlock(task); return result; } =20 -static int proc_root_link(struct dentry *dentry, struct path *path) +static int proc_root_link(struct dentry *dentry, struct path *path, + struct task_struct *task) { - struct task_struct *task =3D get_proc_task(d_inode(dentry)); - int result =3D -ENOENT; - - if (task) { - result =3D get_task_root(task, path); - put_task_struct(task); - } - return result; + return get_task_root(task, path); } =20 /* @@ -710,23 +701,6 @@ static int proc_pid_syscall(struct seq_file *m, struct= pid_namespace *ns, /* Here the fs part begins */ /************************************************************************/ =20 -/* permission checks */ -static bool proc_fd_access_allowed(struct inode *inode) -{ - struct task_struct *task; - bool allowed =3D false; - /* Allow access to a task's file descriptors if it is us or we - * may use ptrace attach to the process and find out that - * information. - */ - task =3D get_proc_task(inode); - if (task) { - allowed =3D ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); - put_task_struct(task); - } - return allowed; -} - int proc_nochmod_setattr(struct mnt_idmap *idmap, struct dentry *dentry, struct iattr *attr) { @@ -1783,16 +1757,12 @@ static const struct file_operations proc_pid_set_co= mm_operations =3D { .release =3D single_release, }; =20 -static int proc_exe_link(struct dentry *dentry, struct path *exe_path) +static int proc_exe_link(struct dentry *dentry, struct path *exe_path, + struct task_struct *task) { - struct task_struct *task; struct file *exe_file; =20 - task =3D get_proc_task(d_inode(dentry)); - if (!task) - return -ENOENT; exe_file =3D get_task_exe_file(task); - put_task_struct(task); if (exe_file) { *exe_path =3D exe_file->f_path; path_get(&exe_file->f_path); @@ -1802,26 +1772,42 @@ static int proc_exe_link(struct dentry *dentry, str= uct path *exe_path) return -ENOENT; } =20 +static int call_proc_get_link(struct dentry *dentry, struct inode *inode, = struct path *path_out) +{ + struct task_struct *task; + int ret; + + task =3D get_proc_task(inode); + if (!task) + return -ENOENT; + ret =3D down_read_killable(&task->signal->exec_update_lock); + if (ret) + goto out_put_task; + if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) { + ret =3D -EACCES; + goto out; + } + ret =3D PROC_I(inode)->op.proc_get_link(dentry, path_out, task); + +out: + up_read(&task->signal->exec_update_lock); +out_put_task: + put_task_struct(task); + return ret; +} + static const char *proc_pid_get_link(struct dentry *dentry, struct inode *inode, struct delayed_call *done) { struct path path; - int error =3D -EACCES; + int error; =20 if (!dentry) return ERR_PTR(-ECHILD); - - /* Are we allowed to snoop on the tasks file descriptors? */ - if (!proc_fd_access_allowed(inode)) - goto out; - - error =3D PROC_I(inode)->op.proc_get_link(dentry, &path); - if (error) - goto out; - - error =3D nd_jump_link(&path); -out: + error =3D call_proc_get_link(dentry, inode, &path); + if (!error) + error =3D nd_jump_link(&path); return ERR_PTR(error); } =20 @@ -1855,17 +1841,11 @@ static int proc_pid_readlink(struct dentry * dentry= , char __user * buffer, int b struct inode *inode =3D d_inode(dentry); struct path path; =20 - /* Are we allowed to snoop on the tasks file descriptors? */ - if (!proc_fd_access_allowed(inode)) - goto out; - - error =3D PROC_I(inode)->op.proc_get_link(dentry, &path); - if (error) - goto out; - - error =3D do_proc_readlink(&path, buffer, buflen); - path_put(&path); -out: + error =3D call_proc_get_link(dentry, inode, &path); + if (!error) { + error =3D do_proc_readlink(&path, buffer, buflen); + path_put(&path); + } return error; } =20 @@ -2256,21 +2236,16 @@ static const struct dentry_operations tid_map_files= _dentry_operations =3D { .d_delete =3D pid_delete_dentry, }; =20 -static int map_files_get_link(struct dentry *dentry, struct path *path) +static int map_files_get_link(struct dentry *dentry, struct path *path, + struct task_struct *task) { unsigned long vm_start, vm_end; struct vm_area_struct *vma; - struct task_struct *task; struct mm_struct *mm; int rc; =20 rc =3D -ENOENT; - task =3D get_proc_task(d_inode(dentry)); - if (!task) - goto out; - mm =3D get_task_mm(task); - put_task_struct(task); if (!mm) goto out; =20 diff --git a/fs/proc/fd.c b/fs/proc/fd.c index 05c7513e77c7..0f9a1556f2a3 100644 --- a/fs/proc/fd.c +++ b/fs/proc/fd.c @@ -171,24 +171,19 @@ static const struct dentry_operations tid_fd_dentry_o= perations =3D { .d_delete =3D pid_delete_dentry, }; =20 -static int proc_fd_link(struct dentry *dentry, struct path *path) +static int proc_fd_link(struct dentry *dentry, struct path *path, + struct task_struct *task) { - struct task_struct *task; int ret =3D -ENOENT; - - task =3D get_proc_task(d_inode(dentry)); - if (task) { - unsigned int fd =3D proc_fd(d_inode(dentry)); - struct file *fd_file; - - fd_file =3D fget_task(task, fd); - if (fd_file) { - *path =3D fd_file->f_path; - path_get(&fd_file->f_path); - ret =3D 0; - fput(fd_file); - } - put_task_struct(task); + unsigned int fd =3D proc_fd(d_inode(dentry)); + struct file *fd_file; + + fd_file =3D fget_task(task, fd); + if (fd_file) { + *path =3D fd_file->f_path; + path_get(&fd_file->f_path); + ret =3D 0; + fput(fd_file); } =20 return ret; diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 64dc44832808..d31984c3c797 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -107,7 +107,7 @@ extern struct kmem_cache *proc_dir_entry_cache; void pde_free(struct proc_dir_entry *pde); =20 union proc_op { - int (*proc_get_link)(struct dentry *, struct path *); + int (*proc_get_link)(struct dentry *, struct path *, struct task_struct *= ); int (*proc_show)(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task); --=20 2.54.0.563.g4f69b47b94-goog