PR_SET_PTRACER does not work from a thread

Bug #729839 reported by Philippe Waroquiers on 2011-03-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Kees Cook
Maverick
Medium
Kees Cook
Natty
High
Kees Cook

Bug Description

Linux ubuntu 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux

The program below reproduces the problem.
If you launch it without argument, the thread will call PR_SET_PTRACER.
Then the child process cannot ptrace its parent.
If it is the main thread which is calling PR_SET_PTRACER, then it works properly.
Just give an argument to the program to have the main thread calling PR_SET_PTRACER

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <sys/ptrace.h>
#include <sys/prctl.h>
int main_does_prctl;
int ret;

pid_t child;

static void *thr_fn(void *v)
{
   if (!main_does_prctl) {
      ret = prctl (PR_SET_PTRACER, child, 0, 0, 0);
      printf("thread prtctl result %d \n", ret);
   }
   printf("thread sleeping\n");
   sleep(100);
}

int main(int argc, char*argv[])
{
   pthread_t thr;
   pid_t parent = getpid();
   long ptrace_result;

   child = fork();
   if (child == 0) {
      /* This is the child, sleep to let our parent set_ptracer
         us. */
      printf("child sleeping\n");
      sleep (5);
      printf("will ptrace my parent %d\n", parent);
      ptrace_result = ptrace (PTRACE_ATTACH, parent, NULL, NULL);
      if (ptrace_result == 0)
         printf ("ptrace attach successful\n");
      else
         perror ("ptrace attach has failed");
      printf("killing parent\n");
      ptrace_result = ptrace (PTRACE_KILL, parent, NULL, NULL);
      if (ptrace_result == 0)
         printf ("ptrace kill successful\n");
      else
         perror ("ptrace kill has failed");
      exit(0);
   }

   main_does_prctl = argc > 1;

   pthread_create(&thr, NULL, thr_fn, NULL);

   if (main_does_prctl) {
      ret = prctl (PR_SET_PTRACER, child, 0, 0, 0);
      printf("main prtctl result %d \n", ret);
   }
   printf("main sleeping\n");
   sleep(100);
}

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: linux-image-2.6.35-22-generic 2.6.35-22.33
Regression: No
Reproducible: Yes
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic i686
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.23.
AplayDevices:
 **** List of PLAYBACK Hardware Devices ****
 card 0: Intel [HDA Intel], device 0: ALC268 Analog [ALC268 Analog]
   Subdevices: 1/1
   Subdevice #0: subdevice #0
Architecture: i386
ArecordDevices:
 **** List of CAPTURE Hardware Devices ****
 card 0: Intel [HDA Intel], device 0: ALC268 Analog [ALC268 Analog]
   Subdevices: 1/1
   Subdevice #0: subdevice #0
AudioDevicesInUse:
 Cannot stat file /proc/4717/fd/40: Stale NFS file handle
                      USER PID ACCESS COMMAND
 /dev/snd/controlC0: ubuntu 3262 F.... pulseaudio
CRDA: Error: [Errno 2] No such file or directory
Card0.Amixer.info:
 Card hw:0 'Intel'/'HDA Intel at 0xd4600000 irq 45'
   Mixer name : 'Realtek ALC268'
   Components : 'HDA:10ec0268,1179ff66,00100003 HDA:11c11040,11790001,00100200'
   Controls : 13
   Simple ctrls : 8
Date: Sat Mar 5 20:00:32 2011
LiveMediaBuild: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
MachineType: TOSHIBA Satellite L300
ProcCmdLine: file=/cdrom/preseed/hostname.seed boot=casper initrd=/casper/initrd.lz quiet splash -- maybe-ubiquity
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
RelatedPackageVersions: linux-firmware 1.38
RfKill:
 0: phy0: Wireless LAN
  Soft blocked: no
  Hard blocked: no
SourcePackage: linux
dmi.bios.date: 10/09/2008
dmi.bios.vendor: INSYDE
dmi.bios.version: 1.30
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: Portable PC
dmi.board.vendor: TOSHIBA
dmi.board.version: Base Board Version
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: Chassis Manufacturer
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnINSYDE:bvr1.30:bd10/09/2008:svnTOSHIBA:pnSatelliteL300:pvrPSLB8E-01200DBT:rvnTOSHIBA:rnPortablePC:rvrBaseBoardVersion:cvnChassisManufacturer:ct10:cvrChassisVersion:
dmi.product.name: Satellite L300
dmi.product.version: PSLB8E-01200DBT
dmi.sys.vendor: TOSHIBA

Kees Cook (kees) on 2011-03-08
Changed in linux (Ubuntu):
status: New → Confirmed
assignee: nobody → Kees Cook (kees)
importance: Undecided → High
milestone: none → ubuntu-11.04-beta-1
Kees Cook (kees) wrote :

Ah, yes. Looks like this is the inverse of a bug that was fixed during Maverick development. I've got a test kernel building now, and should have results shortly.

Changed in linux (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
milestone: none → maverick-updates
Kees Cook (kees) wrote :
Changed in linux (Ubuntu Natty):
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Maverick):
status: Confirmed → Fix Committed
Tim Gardner (timg-tpi) on 2011-03-08
Changed in linux (Ubuntu Maverick):
status: Fix Committed → In Progress
Kees Cook (kees) on 2011-03-08
tags: added: natty
removed: needs-upstream-testing
Kees Cook (kees) on 2011-03-10
Changed in linux (Ubuntu Maverick):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-7.35

---------------
linux (2.6.38-7.35) natty; urgency=low

  [ Andy Whitcroft ]

  * rebase to 2fbfac4e053861925fa3fffcdc327649b09af54c
  * rebase fixes bug #715330
  * [Config] disable CONFIG_SCSI_QLA_ISCSI for powerpc 32bit to fix FTBS
  * rebase to v2.6.38 final

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: Apply OPTION_BLACKLIST_SENDSETUP also for ZTE MF626
    - LP: #636091

  [ Tim Gardner ]

  * [Confg] CONFIG_BOOT_PRINTK_DELAY=y

  [ Upstream Kernel Changes ]

  * Yama: use thread group leader when creating match
    - LP: #729839
  * (drop after 2.6.38) ahci: AHCI mode SATA patch for Intel Patsburg SATA
    RAID controller
    - LP: #735240
  * (drop after v2.6.38) x86, quirk: Fix SB600 revision check

  [ Major Kernel Changes ]

  * rebase from v2.6.38-rc8 to v2.6.38 final
    - LP: #715330
 -- Andy Whitcroft <email address hidden> Tue, 15 Mar 2011 19:04:19 +0000

Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed' to 'verification-done'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-maverick
tags: added: verification-done-maverick
removed: verification-needed-maverick
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.35-28.50

---------------
linux (2.6.35-28.50) maverick-proposed; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #734399

  [ Corentin Chary ]

  * SAUCE: (drop after 2.6.38) eeepc-wmi: reorder keymap
    - LP: #689393
  * SAUCE: (drop after 2.6.38) eeepc-wmi: add wlan key found on 1015P
    - LP: #689393

  [ Keng-Yu Lin ]

  * SAUCE: eeepc-wmi: set the touchpad toggle key code to F22
    - LP: #689393

  [ Tim Gardner ]

  * [Config] CONFIG_BOOT_PRINTK_DELAY=y
    - LP: #733191

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon/bo: add some fallback placements for VRAM only
    objects."
    - LP: #652934
  * eeepc-wmi: add additional hotkeys
    - LP: #689393
  * xen: don't bother to stop other cpus on shutdown/reboot
    - LP: #727814
  * Yama: use thread group leader when creating match
    - LP: #729839
  * mmc: sdhci-pci: add ricoh e822 pci id with device specific quirks
    - LP: #730820
 -- Brad Figg <email address hidden> Sun, 13 Mar 2011 07:01:39 -0700

Changed in linux (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers