Salvatore Bonaccorso <[email protected]> writes: > hi, > > On Fri, May 15, 2026 at 07:12:08AM +0200, Salvatore Bonaccorso wrote: >> Hi >> >> On Fri, May 15, 2026 at 03:29:56AM +0100, Sam James wrote: >> > Qualys Security Advisory <[email protected]> writes: >> > >> > > Hi all, >> > > >> > > Today a vulnerability that we reported to security@kernel was fixed: >> > > >> > > >> > > https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a >> > > >> > > [...] >> > > >> > > Today we also contacted the linux-distros@openwall, but since exploits >> > > are already public we were told to send this to oss-security@openwall >> > > instead, hence this post. We are not publishing our advisory yet, to >> > > give distributions and users a chance to patch. >> > >> > Thank you. I'm sorry you've had your moment somewhat spoiled. >> > >> > I include some notes for readers. >> > >> > -- >> > >> > Please note that despite the commit title and contents, it is not >> > exclusive to ptrace, and ptrace restriction mechanisms will not help >> > here. >> > >> > As for mitigations: I don't think there are any real ones. >> > >> > Some ideas: >> > * Block pidfd_getfd. I don't think it's actually used that heavily and >> > there's often fallbacks for older kernels when it is. >> > >> > * You could remove the world-executable bit from ssh-keysign >> > but this is *not* the only binary affected, and this is a very weak >> > mitigation indeed __only for the PoC__. >> > >> > The patch from Linus applies cleanly down to 6.6 or so. For 6.1 (IIRC), >> > there was a trivial conflict (attached for convenience). >> > >> > For 5.10, a prerequisite commit is handy: >> > 5bc78502322a5e4eef3f1b2a2813751dc6434143, then apply the 6.1 version. >> >> I'm not 100% certian, but setting restrictive kernel.yama.ptrace_scope >> might as well serve as temporary workaround. Can you confirm? > > Nevermind, it is written above by Sam, it ptrace restricing techniques > so won't be enough.
To correct myself now (sorry, I was up quite a while yesterday when I first saw reports of this bug): Qualys's reply says =2 or =3 would be enough at least with what we know so far. What I got mixed up with was that in Gentoo, for some reasons I won't bore readers with, =2 and =3 aren't an option yet (*), so I tried =1 and didn't think much more of it. In hindsight, I should've probed more. > > Regards, > Salvatore (*) https://bugs.gentoo.org/771360 and likely some other bugs sam
signature.asc
Description: PGP signature
