Commit 01e05e9a authored by Tejun Heo's avatar Tejun Heo Committed by Linus Torvalds
Browse files

ptrace: use safer wake up on ptrace_detach() 



The wake_up_process() call in ptrace_detach() is spurious and not
interlocked with the tracee state.  IOW, the tracee could be running or
sleeping in any place in the kernel by the time wake_up_process() is
called.  This can lead to the tracee waking up unexpectedly which can be
dangerous.

The wake_up is spurious and should be removed but for now reduce its
toxicity by only waking up if the tracee is in TRACED or STOPPED state.

This bug can possibly be used as an attack vector.  I don't think it
will take too much effort to come up with an attack which triggers oops
somewhere.  Most sleeps are wrapped in condition test loops and should
be safe but we have quite a number of places where sleep and wakeup
conditions are expected to be interlocked.  Although the window of
opportunity is tiny, ptrace can be used by non-privileged users and with
some loading the window can definitely be extended and exploited.

Signed-off-by: default avatarTejun Heo <tj@kernel.org>
Acked-by: default avatarRoland McGrath <roland@redhat.com>
Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent d863b50a

kernel/ptrace.c

+1 −1
Original line number Diff line number Diff line
@@ -313,7 +313,7 @@ int ptrace_detach(struct task_struct *child, unsigned int data) 
		child->exit_code = data;

		dead = __ptrace_detach(current, child);

		if (!child->exit_state)

			wake_up_process(child);

			wake_up_state(child, TASK_TRACED | TASK_STOPPED);

	}

	write_unlock_irq(&tasklist_lock);

CRA Git | Maintained and supported by SUSTech CRA and CCSE