Information disclosure via ptrace (memory/dumpability metadata leakage)

HIGH
torvalds/linux
Commit: 31e62c2ebbfd
Affected: All versions prior to this patch in the 7.x series, i.e., before 7.0-rc6 (pre-patch).
2026-05-14 20:37 UTC

Description

The patch addresses an information-disclosure risk in ptrace access for tasks that have no associated memory management (mm == NULL), i.e., kernel threads. Previously, ptrace_may_access could grant access to such tasks more permissively, potentially leaking details about kernel threads and their memory-dumpability state to unprivileged or insufficiently privileged callers. The fix adds a new per-task flag (user_dumpable) to cache the last known dumpability and introduces task_still_dumpable() to decide if a task is still dumpable for ptrace checks. For tasks without an MM, access now requires either CAP_SYS_PTRACE (via the caller’s privileges) or the task having been dumpable in the past, preventing leakage of kernel-thread details in common scenarios. This aligns with the Qualys advisory and hardens ptrace-related information disclosure.

Proof of Concept

High-level PoC (conceptual, not code): - Environment: Linux system with a non-root user, unmapped kernel threads (mm == NULL) present, and a user namespace that allows ptrace within the same user namespace. The attacker does not have CAP_SYS_PTRACE. - Goal: Determine whether an unprivileged tracer can glean kernel-thread details or their dumpability state via ptrace before and after the patch. - Pre-patch scenario (for understanding attack vector): An unprivileged process attaches to a kernel thread and queries its memory/dumpability state through ptrace operations. Because non-MM tasks were not strictly gated by CAP_SYS_PTRACE in the old path, some information about the thread’s dumpability or related metadata could leak to the tracer. - Post-patch scenario (exploit attempt): The tracer calls ptrace to the same kernel thread but is denied unless either CAP_SYS_PTRACE is held or the target task’s last-dumpable state (user_dumpable) permits dumping. The attacker would observe a denial (EPERM) or be blocked from reading sensitive metadata, preventing information leakage. - Steps (high level): 1) Create a kernel thread (mm == NULL) and ensure it has a known dumpability history (e.g., it previously had an mm and set get_dumpable(...)). 2) In an unprivileged process, attempt a ptrace_attach to the kernel thread and perform a simple read via ptrace (e.g., to peek a word in memory or query task metadata). 3) Note whether access succeeds before the patch (likely more permissive) and fails after the patch unless CAP_SYS_PTRACE is present or the thread’s last-dumpable flag allows it. 4) Validate that CAP_SYS_PTRACE or the appropriate last-dumpable state is required to override for non-MM tasks. - Outcome: Demonstrates that the patch mitigates an information-disclosure vector where an unprivileged tracer could obtain kernel-thread details through ptrace by bypassing non-MM checks. The fix enforces stronger gating via CAP_SYS_PTRACE and the cached last-dumpable flag.

Commit Details

Author: Linus Torvalds

Date: 2026-05-13 18:37 UTC

Message:

ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override. Reported-by: Qualys Security Advisory <qsa@qualys.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Kees Cook <kees@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Triage Assessment

Vulnerability Type: Information disclosure

Confidence: HIGH

Reasoning:

The patch adjusts how ptrace checks for access rights to a task's memory dumpability, preventing leakage of kernel thread details and dumpable state to unprivileged or improperly privileged tasks. It introduces a safeguard that requires CAP_SYS_PTRACE to override dumpability checks for tasks without an MM, and preserves a cached last-dumpable flag for non-MM tasks. This directly addresses information disclosure via ptrace, aligning with the Qualys advisory and kernel hardening against leaking sensitive process memory/metadata.

Verification Assessment

Vulnerability Type: Information disclosure via ptrace (memory/dumpability metadata leakage)

Confidence: HIGH

Affected Versions: All versions prior to this patch in the 7.x series, i.e., before 7.0-rc6 (pre-patch).

Code Diff

diff --git a/include/linux/sched.h b/include/linux/sched.h index 368c7b4d7cb510..ee06cba5c6f538 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1002,6 +1002,9 @@ struct task_struct { unsigned sched_rt_mutex:1; #endif + /* Save user-dumpable when mm goes away */ + unsigned user_dumpable:1; + /* Bit to tell TOMOYO we're in execve(): */ unsigned in_execve:1; unsigned in_iowait:1; diff --git a/kernel/exit.c b/kernel/exit.c index 9a909993ab1d8b..f50d73c272d6ee 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -571,6 +571,7 @@ static void exit_mm(void) */ smp_mb__after_spinlock(); local_irq_disable(); + current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); current->mm = NULL; membarrier_update_current_mm(NULL); enter_lazy_tlb(mm, current); diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 68c17daef8d40b..130043bfc2091c 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode) return ns_capable(ns, CAP_SYS_PTRACE); } +static bool task_still_dumpable(struct task_struct *task, unsigned int mode) +{ + struct mm_struct *mm = task->mm; + if (mm) { + if (get_dumpable(mm) == SUID_DUMP_USER) + return true; + return ptrace_has_cap(mm->user_ns, mode); + } + + if (task->user_dumpable) + return true; + return ptrace_has_cap(&init_user_ns, mode); +} + /* Returns 0 on success, -errno on denial. */ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) { const struct cred *cred = current_cred(), *tcred; - struct mm_struct *mm; kuid_t caller_uid; kgid_t caller_gid; @@ -337,11 +350,8 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) * Pairs with a write barrier in commit_creds(). */ smp_rmb(); - mm = task->mm; - if (mm && - ((get_dumpable(mm) != SUID_DUMP_USER) && - !ptrace_has_cap(mm->user_ns, mode))) - return -EPERM; + if (!task_still_dumpable(task, mode)) + return -EPERM; return security_ptrace_access_check(task, mode); }
← Back to Alerts View on GitHub →