Yama: Check for pid death before checking ancestry

It's possible that a pid has died before we take the rcu lock, in which case we can't walk the ancestry list as it may be detached. Instead, check for death first before doing the walk. Reported-by: [email protected] Fixes: 2d51448 ("security: Yama LSM") Cc: [email protected] Suggested-by: Oleg Nesterov <[email protected]> Signed-off-by: Kees Cook <[email protected]> Signed-off-by: James Morris <[email protected]>
josf · Jan 16, 2019 · 9474f4e · 9474f4e
1 parent a811dc6
commit 9474f4e
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
@@ -368,7 +368,9 @@ static int yama_ptrace_access_check(struct task_struct *child,
 			break;
 		case YAMA_SCOPE_RELATIONAL:
 			rcu_read_lock();
-			if (!task_is_descendant(current, child) &&
+			if (!pid_alive(child))
+				rc = -EPERM;
+			if (!rc && !task_is_descendant(current, child) &&
 			    !ptracer_exception_found(current, child) &&
 			    !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
 				rc = -EPERM;