diff options
author | Linus Torvalds <torvalds@g5.osdl.org> | 2006-05-07 10:49:33 -0700 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2006-05-20 15:00:33 -0700 |
commit | 65b01b76265047aa59d6eb741ec61468c8867256 (patch) | |
tree | 9f1503d3b24bd7ce34cad2eaa58c42d2dbd664bb | |
parent | 1d4532d4d7351b552220d9ef0a1901a33f00ee5f (diff) | |
download | lwn-65b01b76265047aa59d6eb741ec61468c8867256.tar.gz lwn-65b01b76265047aa59d6eb741ec61468c8867256.zip |
[PATCH] Fix ptrace_attach()/ptrace_traceme()/de_thread() race
This holds the task lock (and, for ptrace_attach, the tasklist_lock)
over the actual attach event, which closes a race between attacking to a
thread that is either doing a PTRACE_TRACEME or getting de-threaded.
Thanks to Oleg Nesterov for reminding me about this, and Chris Wright
for noticing a lost return value in my first version.
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | kernel/ptrace.c | 39 |
1 files changed, 21 insertions, 18 deletions
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index b5eaeb91a7bd..99f9fa4550c7 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -149,12 +149,16 @@ int ptrace_may_attach(struct task_struct *task) int ptrace_attach(struct task_struct *task) { int retval; - task_lock(task); + retval = -EPERM; if (task->pid <= 1) - goto bad; + goto out; if (task->tgid == current->tgid) - goto bad; + goto out; + + write_lock_irq(&tasklist_lock); + task_lock(task); + /* the same process cannot be attached many times */ if (task->ptrace & PT_PTRACED) goto bad; @@ -167,17 +171,15 @@ int ptrace_attach(struct task_struct *task) ? PT_ATTACHED : 0); if (capable(CAP_SYS_PTRACE)) task->ptrace |= PT_PTRACE_CAP; - task_unlock(task); - write_lock_irq(&tasklist_lock); __ptrace_link(task, current); - write_unlock_irq(&tasklist_lock); force_sig_specific(SIGSTOP, task); - return 0; bad: + write_unlock_irq(&tasklist_lock); task_unlock(task); +out: return retval; } @@ -418,21 +420,22 @@ int ptrace_request(struct task_struct *child, long request, */ int ptrace_traceme(void) { - int ret; + int ret = -EPERM; /* * Are we already being traced? */ - if (current->ptrace & PT_PTRACED) - return -EPERM; - ret = security_ptrace(current->parent, current); - if (ret) - return -EPERM; - /* - * Set the ptrace bit in the process ptrace flags. - */ - current->ptrace |= PT_PTRACED; - return 0; + task_lock(current); + if (!(current->ptrace & PT_PTRACED)) { + ret = security_ptrace(current->parent, current); + /* + * Set the ptrace bit in the process ptrace flags. + */ + if (!ret) + current->ptrace |= PT_PTRACED; + } + task_unlock(current); + return ret; } /** |