From patchwork Tue Jul 8 05:49:59 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 367799 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 4A77A1400B9; Tue, 8 Jul 2014 15:50:16 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1X4OI3-0002zt-1f; Tue, 08 Jul 2014 05:50:07 +0000 Received: from smtp.outflux.net ([198.145.64.163]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1X4OHx-0002zT-Tb for kernel-team@lists.ubuntu.com; Tue, 08 Jul 2014 05:50:02 +0000 Received: from www.outflux.net (serenity.outflux.net [10.2.0.2]) by vinyl.outflux.net (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s685o0Nj013249 for ; Mon, 7 Jul 2014 22:50:00 -0700 Date: Mon, 7 Jul 2014 22:49:59 -0700 From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [Precise][SRU] Yama: handle 32-bit userspace prctl Message-ID: <20140708054959.GU5412@outflux.net> MIME-Version: 1.0 Content-Disposition: inline Organization: Ubuntu X-MIMEDefang-Filter: outflux$Revision: 1.316 $ X-HELO: www.outflux.net X-Scanned-By: MIMEDefang 2.73 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com BugLink: http://bugs.launchpad.net/bugs/1338883 commit 2e4930eb7c8fb20a39dfb5f8a8f80402710dcea8 upstream. When running a 64-bit kernel and receiving prctls from a 32-bit userspace, the "-1" used as an unsigned long will end up being misdetected. The kernel is looking for 0xffffffffffffffff instead of 0xffffffff. Since prctl lacks a distinct compat interface, Yama needs to handle this translation itself. As such, support either value as meaning PR_SET_PTRACER_ANY, to avoid breaking the ABI for 64-bit. Signed-off-by: Kees Cook Acked-by: John Johansen Cc: stable@vger.kernel.org Signed-off-by: James Morris [adjusted for Precise's Yama backport format/whitespace changes] Signed-off-by: Kees Cook Acked-by: Andy Whitcroft --- security/yama/yama_lsm.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 30361cb..84bd07b 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -140,8 +140,7 @@ int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3, if (arg2 == 0) { yama_ptracer_del(NULL, myself); rc = 0; - } - else if (arg2 == PR_SET_PTRACER_ANY) { + } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) { rc = yama_ptracer_add(NULL, myself); } else { struct task_struct *tracer;