oss-sec mailing list archives
Re: Logic bug in the Linux kernel's __ptrace_may_access() function
From: Sam James <sam () gentoo org>
Date: Fri, 15 May 2026 03:29:56 +0100
Qualys Security Advisory <qsa () qualys com> writes:
Hi all, Today a vulnerability that we reported to security@kernel was fixed: https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a [...] Today we also contacted the linux-distros@openwall, but since exploits are already public we were told to send this to oss-security@openwall instead, hence this post. We are not publishing our advisory yet, to give distributions and users a chance to patch.
Thank you. I'm sorry you've had your moment somewhat spoiled. I include some notes for readers. -- Please note that despite the commit title and contents, it is not exclusive to ptrace, and ptrace restriction mechanisms will not help here. As for mitigations: I don't think there are any real ones. Some ideas: * Block pidfd_getfd. I don't think it's actually used that heavily and there's often fallbacks for older kernels when it is. * You could remove the world-executable bit from ssh-keysign but this is *not* the only binary affected, and this is a very weak mitigation indeed __only for the PoC__. The patch from Linus applies cleanly down to 6.6 or so. For 6.1 (IIRC), there was a trivial conflict (attached for convenience). For 5.10, a prerequisite commit is handy: 5bc78502322a5e4eef3f1b2a2813751dc6434143, then apply the 6.1 version. thanks, sam
Attachment:
0001-ptrace-slightly-saner-get_dumpable-logic.patch
Description: 6.1 patch
Attachment:
signature.asc
Description:
Current thread:
- Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Sam James (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Salvatore Bonaccorso (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Salvatore Bonaccorso (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Sam James (May 15)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory (May 15)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function David Gonzalez (May 15)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Salvatore Bonaccorso (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Sam James (May 14)
- Re: Re: Logic bug in the Linux kernel's __ptrace_may_access() function Simon McVittie (May 21)
