ACK/Cmnt: [SRU][J][PATCH 1/1] ptrace: slightly saner 'get_dumpable()' logic

Manuel Diewald manuel.diewald at canonical.com
Fri May 22 09:57:32 UTC 2026 

On Fri, May 22, 2026 at 10:44:37AM +0200, Edoardo Canepa wrote:
> From: Linus Torvalds <torvalds at linux-foundation.org>
> 
> The 'dumpability' of a task is fundamentally about the memory image of
> the task - the concept comes from whether it can core dump or not - and
> makes no sense when you don't have an associated mm.
> 
> And almost all users do in fact use it only for the case where the task
> has a mm pointer.
> 
> But we have one odd special case: ptrace_may_access() uses 'dumpable' to
> check various other things entirely independently of the MM (typically
> explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for
> threads that no longer have a VM (and maybe never did, like most kernel
> threads).
> 
> It's not what this flag was designed for, but it is what it is.
> 
> The ptrace code does check that the uid/gid matches, so you do have to
> be uid-0 to see kernel thread details, but this means that the
> traditional "drop capabilities" model doesn't make any difference for
> this all.
> 
> Make it all make a *bit* more sense by saying that if you don't have a
> MM pointer, we'll use a cached "last dumpability" flag if the thread
> ever had a MM (it will be zero for kernel threads since it is never
> set), and require a proper CAP_SYS_PTRACE capability to override.
> 
> Reported-by: Qualys Security Advisory <qsa at qualys.com>
> Cc: Oleg Nesterov <oleg at redhat.com>
> Cc: Kees Cook <kees at kernel.org>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (backported picked from commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a)

I will fix this typo 'backported picked' -> 'backported' when applying.

> [ecanepa: context adjusted in include/linux/sched.h]
> CVE-2026-46333
> Signed-off-by: Edoardo Canepa <edoardo.canepa at canonical.com>

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260522/87b0fd07/attachment.sig>

More information about the kernel-team mailing list