ptrace: backport upstream fix for CVE-2026-46333 (ssh-keysign-pwn)#481
Merged
SuperKali merged 1 commit intoMay 15, 2026
Merged
Conversation
The 'dumpability' flag is fundamentally about the task's memory image and makes no sense when there's no associated mm. ptrace_may_access() however uses it for access control independently of the MM, including for tasks whose mm has been cleared on exit and for kernel threads. Cache the last user-dumpability when exit_mm() releases the mm, and require CAP_SYS_PTRACE in the no-mm path. Kernel threads, which never had a mm, keep the cached flag at zero and therefore require the capability — closing the bypass path used by the exploit. Addresses CVE-2026-46333 (ssh-keysign-pwn): an unprivileged local user could race ssh-keysign's exit and use pidfd_getfd() to steal the open file descriptors for /etc/ssh/ssh_host_*_key once task->mm was cleared. Backport for linux-6.1.y: adapt sched.h hunk context (pre-6.7 lacks the sched_rt_mutex bitfield; the adjacent comment reads "LSMs" instead of "TOMOYO"). Reported-by: Qualys Security Advisory <qsa@qualys.com> Signed-off-by: SuperKali <hello@superkali.me>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backports mainline commit
31e62c2ebbfd(Linus Torvalds, 2026-05-13) tork-6.1-rkr5.1, closing the__ptrace_may_access()logic flaw that lets an unprivileged local user racessh-keysign's exit and steal SSH host private keys //etc/shadowFDs viapidfd_getfd().Closes #480.
Changes
include/linux/sched.h: addtask_struct.user_dumpable:1bitfieldkernel/exit.c: cache dumpability inexit_mm()before clearingmmkernel/ptrace.c: newtask_still_dumpable()helper;__ptrace_may_access()now requiresCAP_SYS_PTRACEon the no-mm pathContext-only adaptation vs mainline:
sched.hhunk rewritten for pre-6.7 (nosched_rt_mutexbitfield, LSM comment wording).