Commit 896a6de4 authored Jul 10, 2009 by Oleg Nesterov Committed by James Morris Aug 10, 2009

mm_for_maps: take ->cred_guard_mutex to fix the race with exec



The problem is minor, but without ->cred_guard_mutex held we can race
with exec() and get the new ->mm but check old creds.

Now we do not need to re-check task->mm after ptrace_may_access(), it
can't be changed to the new mm under us.

Strictly speaking, this also fixes another very minor problem. Unless
security check fails or the task exits mm_for_maps() should never
return NULL, the caller should get either old or new ->mm.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

parent d3c86602

fs/proc/base.c

+11 −11

Original line number	Diff line number	Diff line
		@@ -234,19 +234,19 @@ static int check_mem_permission(struct task_struct *task)

		struct mm_struct mm_for_maps(struct task_struct task)
		{
		struct mm_struct *mm = get_task_mm(task);
		struct mm_struct *mm;

		if (mm && mm != current->mm) {
		/*
		* task->mm can be changed before security check,
		* in that case we must notice the change after.
		*/
		if (!ptrace_may_access(task, PTRACE_MODE_READ) \|\|
		mm != task->mm) {
		if (mutex_lock_killable(&task->cred_guard_mutex))
		return NULL;

		mm = get_task_mm(task);
		if (mm && mm != current->mm &&
		!ptrace_may_access(task, PTRACE_MODE_READ)) {
		mmput(mm);
		mm = NULL;
		}
		}
		mutex_unlock(&task->cred_guard_mutex);

		return mm;
		}

Admin message