Re: Logic bug in the Linux kernel's __ptrace_may_access() function

[Sam James <sam () gentoo org>]

Salvatore Bonaccorso <carnil () debian org> writes:

> hi,
>
> On Fri, May 15, 2026 at 07:12:08AM +0200, Salvatore Bonaccorso wrote:
> > Hi
> >
> > On Fri, May 15, 2026 at 03:29:56AM +0100, Sam James wrote:
> > > Qualys Security Advisory <qsa () qualys com> writes:
> > >
> > > > Hi all,
> > > >
> > > > Today a vulnerability that we reported to security@kernel was fixed:
> > > >
> > > >   https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
> > > >
> > > > [...]
> > > >
> > > > Today we also contacted the linux-distros@openwall, but since exploits
> > > > are already public we were told to send this to oss-security@openwall
> > > > instead, hence this post. We are not publishing our advisory yet, to
> > > > give distributions and users a chance to patch.
> > >
> > > Thank you. I'm sorry you've had your moment somewhat spoiled.
> > >
> > > I include some notes for readers.
> > >
> > > --
> > >
> > > Please note that despite the commit title and contents, it is not
> > > exclusive to ptrace, and ptrace restriction mechanisms will not help
> > > here.
> > >
> > > As for mitigations: I don't think there are any real ones.
> > >
> > > Some ideas:
> > > * Block pidfd_getfd. I don't think it's actually used that heavily and
> > >   there's often fallbacks for older kernels when it is.
> > >
> > > * You could remove the world-executable bit from ssh-keysign
> > >   but this is *not* the only binary affected, and this is a very weak
> > >   mitigation indeed __only for the PoC__.
> > >
> > > The patch from Linus applies cleanly down to 6.6 or so. For 6.1 (IIRC),
> > > there was a trivial conflict (attached for convenience).
> > >
> > > For 5.10, a prerequisite commit is handy:
> > > 5bc78502322a5e4eef3f1b2a2813751dc6434143, then apply the 6.1 version.
> >
> > I'm not 100% certian, but setting restrictive kernel.yama.ptrace_scope
> > might as well serve as temporary workaround. Can you confirm?
>
> Nevermind, it is written above by Sam, it ptrace restricing techniques
> so won't be enough.

To correct myself now (sorry, I was up quite a while yesterday when I
first saw reports of this bug): Qualys's reply says =2 or =3 would be
enough at least with what we know so far.

What I got mixed up with was that in Gentoo, for some reasons I won't
bore readers with, =2 and =3 aren't an option yet (*), so I tried =1
and didn't think much more of it. In hindsight, I should've probed more.

> Regards,
> Salvatore

(*) https://bugs.gentoo.org/771360 and likely some other bugs

sam

Attachment: signature.asc
Description: