Kernel: Prevent execve/ptrace race

Add a per-process ptrace lock and use it to prevent ptrace access to a process after it decides to commit to a new executable in sys$execve(). Fixes #5230.
Author: https://github.com/awesomekling Commit: https://github.com/SerenityOS/serenity/commit/4ff0f971f7e
2025-01-07 19:57:45 +03:00 · 2021-02-08 23:01:53 +01:00 · 2021-02-08 23:01:53 +01:00 · 4ff0f971f7 · 2024-07-18 22:29:11 +09:00
commit 4ff0f971f7
parent 4b7b92c201
3 changed files with 8 additions and 4 deletions
--- a/Kernel/Process.h
+++ b/Kernel/Process.h
@ -408,10 +408,8 @@ public:
        return m_thread_count.load(AK::MemoryOrder::memory_order_relaxed);
    }

-    Lock& big_lock()
-    {
-        return m_big_lock;
-    }
+    Lock& big_lock() { return m_big_lock; }
+    Lock& ptrace_lock() { return m_ptrace_lock; }

    Custody& root_directory();
    Custody& root_directory_relative_to_global_root();
@ -579,6 +577,7 @@ private:
    size_t m_master_tls_alignment { 0 };

    Lock m_big_lock { "Process" };
+    Lock m_ptrace_lock { "ptrace" };

    RefPtr<Timer> m_alarm_timer;

--- a/Kernel/Syscalls/execve.cpp
+++ b/Kernel/Syscalls/execve.cpp
@ -483,6 +483,9 @@ int Process::do_exec(NonnullRefPtr<FileDescription> main_program_description, Ve

    // We commit to the new executable at this point. There is no turning back!

+    // Prevent other processes from attaching to us with ptrace while we're doing this.
+    Locker ptrace_locker(ptrace_lock());
+
    // Disable profiling temporarily in case it's running on this process.
    TemporaryChange profiling_disabler(m_profiling, false);

--- a/Kernel/Syscalls/ptrace.cpp
+++ b/Kernel/Syscalls/ptrace.cpp
@ -57,6 +57,8 @@ static KResultOr<u32> handle_ptrace(const Kernel::Syscall::SC_ptrace_params& par
    if (!peer)
        return ESRCH;

+    Locker ptrace_locker(peer->process().ptrace_lock());
+
    if ((peer->process().uid() != caller.euid())
        || (peer->process().uid() != peer->process().euid())) // Disallow tracing setuid processes
        return EACCES;