Message ID | 1563488579-18170-1-git-send-email-tyhicks@canonical.com |
---|---|
Headers | show |
Series | CVE-2019-13272: ptrace privilege escalation | expand |
LGTM. Acked-by: Kamal Mostafa <kamal@canonical.com> -Kamal On Thu, Jul 18, 2019 at 10:22:58PM +0000, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13272.html > > In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c > mishandles the recording of the credentials of a process that wants to > create a ptrace relationship, which allows local users to obtain root > access by leveraging certain scenarios with a parent-child process > relationship, where a parent drops privileges and calls execve > (potentially allowing control by an attacker). One contributing factor > is an object lifetime issue (which can also cause a panic). Another > contributing factor is incorrect marking of a ptrace relationship as > privileged, which is exploitable through (for example) Polkit's pkexec > helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable > workaround in some environments. > > Clean cherry pick. I've modified the PoC in the Project Zero bug report > to work on Ubuntu and verified that the fix does prevent the PoC from > working. I also successfully ran the AppArmor ptrace regression tests to > verify that there's no unexpected changes in the AppArmor ptrace > mediation. > > Tyler > > Jann Horn (1): > ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME > > kernel/ptrace.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 2019-07-18 22:22:58 , Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13272.html > > In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c > mishandles the recording of the credentials of a process that wants to > create a ptrace relationship, which allows local users to obtain root > access by leveraging certain scenarios with a parent-child process > relationship, where a parent drops privileges and calls execve > (potentially allowing control by an attacker). One contributing factor > is an object lifetime issue (which can also cause a panic). Another > contributing factor is incorrect marking of a ptrace relationship as > privileged, which is exploitable through (for example) Polkit's pkexec > helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable > workaround in some environments. > > Clean cherry pick. I've modified the PoC in the Project Zero bug report > to work on Ubuntu and verified that the fix does prevent the PoC from > working. I also successfully ran the AppArmor ptrace regression tests to > verify that there's no unexpected changes in the AppArmor ptrace > mediation. > > Tyler > > Jann Horn (1): > ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME > > kernel/ptrace.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team