oss-sec mailing list archives
Re: Logic bug in the Linux kernel's __ptrace_may_access() function
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 15 May 2026 07:20:28 +0200
hi, On Fri, May 15, 2026 at 07:12:08AM +0200, Salvatore Bonaccorso wrote:
Hi On Fri, May 15, 2026 at 03:29:56AM +0100, Sam James wrote:Qualys Security Advisory <qsa () qualys com> writes:Hi all, Today a vulnerability that we reported to security@kernel was fixed: https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a [...] Today we also contacted the linux-distros@openwall, but since exploits are already public we were told to send this to oss-security@openwall instead, hence this post. We are not publishing our advisory yet, to give distributions and users a chance to patch.Thank you. I'm sorry you've had your moment somewhat spoiled. I include some notes for readers. -- Please note that despite the commit title and contents, it is not exclusive to ptrace, and ptrace restriction mechanisms will not help here. As for mitigations: I don't think there are any real ones. Some ideas: * Block pidfd_getfd. I don't think it's actually used that heavily and there's often fallbacks for older kernels when it is. * You could remove the world-executable bit from ssh-keysign but this is *not* the only binary affected, and this is a very weak mitigation indeed __only for the PoC__. The patch from Linus applies cleanly down to 6.6 or so. For 6.1 (IIRC), there was a trivial conflict (attached for convenience). For 5.10, a prerequisite commit is handy: 5bc78502322a5e4eef3f1b2a2813751dc6434143, then apply the 6.1 version.I'm not 100% certian, but setting restrictive kernel.yama.ptrace_scope might as well serve as temporary workaround. Can you confirm?
Nevermind, it is written above by Sam, it ptrace restricing techniques so won't be enough. Regards, Salvatore
Current thread:
- Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Sam James (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Salvatore Bonaccorso (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Salvatore Bonaccorso (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Sam James (May 15)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory (May 15)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function David Gonzalez (May 15)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Salvatore Bonaccorso (May 14)
- Re: Logic bug in the Linux kernel's __ptrace_may_access() function Sam James (May 14)
- Re: Re: Logic bug in the Linux kernel's __ptrace_may_access() function Simon McVittie (May 21)
