calling PTRACE_ATTACH from thread of parent does not attach to child

Bug #737676 reported by Kees Cook on 2011-03-18
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Kees Cook
Maverick
Medium
Kees Cook
Natty
Medium
Kees Cook

Bug Description

Reproducer attached

Kees Cook (kees) wrote :
Changed in linux (Ubuntu Maverick):
status: New → In Progress
Changed in linux (Ubuntu Natty):
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
milestone: none → ubuntu-11.04-beta-1
status: New → In Progress
Changed in linux (Ubuntu Maverick):
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
milestone: none → maverick-updates
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-7.36

---------------
linux (2.6.38-7.36) natty; urgency=low

  [ Andy Whitcroft ]

  * Revert "SAUCE: KLUDGE: work around failed 'shrink-wrap' compiler
    optimisation"
  * purge last vestiges of maverick
  * [Config] switch CONFIG_FB_VESA back to module

  [ Chris Wilson ]

  * SAUCE: drm/i915: Fix pipelined fencing
    - LP: #717114

  [ Loïc Minier ]

  * Include nls_cp437 module in virtual for fat
    - LP: #732046
  * Support arch= cross-compilation for any arch
  * Fix couple of typos in 0-common-vars.mk
  * Enforce DEFAULT_MMAP_MIN_ADDR on armhf
  * Add armhf to Debian -> Linux arch map
  * Add initial armhf.mk
  * Enable common packages for armhf

  [ Upstream Kernel Changes ]

  * Yama: fix default relationship to check thread group
    - LP: #737676
 -- Andy Whitcroft <email address hidden> Fri, 18 Mar 2011 18:18:02 +0000

Changed in linux (Ubuntu Natty):
status: In Progress → Fix Released
Tim Gardner (timg-tpi) on 2011-04-08
Changed in linux (Ubuntu Maverick):
status: In Progress → Fix Committed

Accepted linux into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Steve Conklin (sconklin) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed' to 'verification-done'.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-maverick
Kees Cook (kees) wrote :

Confirmed to be fixed using QRT r1242 for testing...

Before (2.6.35-28.50-generic): sudo ./test-kernel-security.py -v
...
ptrace of child works from parent threads (LP: #737676) ... FAIL

======================================================================
FAIL: ptrace of child works from parent threads (LP: #737676)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-kernel-security.py", line 1049, in test_093_ptrace_restriction_parent_via_thread
    self.assertShellExitEquals(expected, ['sudo','-u',os.environ['SUDO_USER'],'./thread-prctl','0','0'])
  File "/home/kees/qa-regression-testing/scripts/testlib.py", line 839, in assertShellExitEquals
    self.assertEquals(expected, rc, msg + result + report)
AssertionError: Got exit code 2, expected 0
Command: 'sudo', '-u', 'kees', './thread-prctl', '0', '0'
Output:
will fork tracee from tracer
will issue ptrace from tracer thread
master is 11021
master waiting for tracer to finish
tracer is 11022
tracer 11022 waiting
forking tracee from tracer
tracee 11024 reading tracer pid
tracee 11024 started (expecting 11022 as tracer)
tracee triggering tracer
tracer to PTRACE_ATTACH my tracee 11024
tracer ptrace attach has failed: Operation not permitted
master waiting for tracee to finish
master saw rc 2 from tracer
tracee waiting for master
tracee finished (stop)

----------------------------------------------------------------------
Ran 48 tests in 27.344s

FAILED (failures=1)

After (2.6.35-29.51-generic): $ sudo ./test-kernel-security.py -v
...
ptrace of child works from parent threads (LP: #737676) ... ok
...

tags: added: verification-done-maverick
removed: verification-needed-maverick
Launchpad Janitor (janitor) wrote :
Download full text (30.0 KiB)

This bug was fixed in the package linux - 2.6.35-30.54

---------------
linux (2.6.35-30.54) maverick-proposed; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #794114

  [ Upstream Kernel Changes ]

  * Revert "xhci: Fix full speed bInterval encoding."
  * Revert "USB: xhci - also free streams when resetting devices"
  * Revert "USB: xhci - fix math in xhci_get_endpoint_interval()"
  * Revert "USB: xhci - fix unsafe macro definitions"

linux (2.6.35-30.53) maverick-proposed; urgency=low

  [ Upstream Kernel Changes ]

  * xhci: Fix full speed bInterval encoding.
    - LP: #792959

linux (2.6.35-30.52) maverick-proposed; urgency=low

  [ Herton R. Krzesinski ]

  * Release Tracking Bug
    - LP: #790653

  [ Stefan Bader ]

  * Include nls_iso8859-1 for virtual images
    - LP: #732046

  [ Thomas Schlichter ]

  * SAUCE: vesafb: mtrr module parameter is uint, not bool
    - LP: #778043

  [ Tim Gardner ]

  * [Config] Add cachefiles.ko to virtual flavour
    - LP: #770430

  [ Upstream Kernel Changes ]

  * Revert "intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot
    hang"
    - LP: #772560
  * Revert "TPM: Long default timeout fix"
    - LP: #772560
  * Revert "tpm_tis: Use timeouts returned from TPM"
    - LP: #772560
  * Revert "xen: set max_pfn_mapped to the last pfn mapped"
  * CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565
    - LP: #765007
    - CVE-2010-4565
  * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1,
    CVE-2011-0711
    - LP: #767740
    - CVE-2011-0711
  * Treat writes as new when holes span across page boundaries,
    CVE-2011-0463
    - LP: #770483
    - CVE-2011-0463
  * fs/partitions/ldm.c: fix oops caused by corrupted partition table,
    CVE-2011-1017
    - LP: #771382
    - CVE-2011-1017
  * qla2xxx: Make the FC port capability mutual exclusive.
    - LP: #772560
  * staging: usbip: bugfixes related to kthread conversion
    - LP: #772560
  * staging: usbip: bugfix add number of packets for isochronous frames
    - LP: #772560
  * staging: usbip: bugfix for isochronous packets and optimization
    - LP: #772560
  * staging: hv: Fix GARP not sent after Quick Migration
    - LP: #772560
  * staging: hv: use sync_bitops when interacting with the hypervisor
    - LP: #772560
  * irda: validate peer name and attribute lengths
    - LP: #772560
  * irda: prevent heap corruption on invalid nickname
    - LP: #772560
  * nilfs2: fix data loss in mmap page write for hole blocks
    - LP: #772560
  * ASoC: Explicitly say registerless widgets have no register
    - LP: #772560
  * ALSA: ens1371: fix Creative Ectiva support
    - LP: #772560
  * ROSE: prevent heap corruption with bad facilities
    - LP: #772560
  * Btrfs: Fix uninitialized root flags for subvolumes
    - LP: #772560
  * x86, mtrr, pat: Fix one cpu getting out of sync during resume
    - LP: #772560
  * UBIFS: do not read flash unnecessarily
    - LP: #772560
  * UBIFS: fix oops on error path in read_pnode
    - LP: #772560
  * UBIFS: fix debugging failure in dbg_check_space_info
    - LP: #772560
  * quota: Don't write quota info in dquot_commit()
    - LP: #772560
  * mm: avoid wrapping vm_...

Changed in linux (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments