Ubuntu 15.10 kernel bug

I recently raised (as part of my job) an Ubuntu 15.10 kernel bug (titled “Kernel bug in mm/memory.c when ptrace poking to PROT_NONE map“) that’s hit when trying to use ptrace() to poke to a map that’s marked as having no permissions.

Based on comments from Linus Torvalds, it sounds like it used to be possible to use ptrace() to do things the process being controlled itself cannot do (it is possible to use ptrace() in this way on Ubuntu 14.04), but they’re removing such cases. He says:

Side note: as to why handle_mm_fault() doesn’t just do things itself,
there’s a historical situation where we used to let people do things
in ptrace() that they couldn’t do directly, and punch through
protections (and turn shared read-only pages into a dirty private
page).

So the permissions checking was up to the caller, because some callers
could do things that other callers could not.

I *think* we have gotten rid of all those cases, and I guess we could
consider just making handle_mm_fault() itself stricter. But that’s the
historical background on why callers need to check this.

So it makes sense that this might not work, however clearly it shouldn’t crash the kernel (fortunately we managed to work around the kernel bug in our own code). It’ll be interesting to see how this progresses.

Leave a Reply

Your email address will not be published. Required fields are marked *