The patch titled
Subject: fork: check exit_signal passed in clone3() call
has been added to the -mm tree. Its filename is
fork-check-exit_signal-passed-in-clone3-call.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/fork-check-exit_signal-passed-in-clone3-call.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/fork-check-exit_signal-passed-in-clone3-call.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Eugene Syromiatnikov <esyr@xxxxxxxxxx>
Subject: fork: check exit_signal passed in clone3() call
Previously, higher 32 bits of exit_signal fields were lost when copied to
the kernel args structure (that uses int as a type for the respective
field). Moreover, as Oleg has noted[1], exit_signal is used unchecked, so
it has to be checked for sanity before use; for the legacy syscalls,
applying CSIGNAL mask guarantees that it is at least non-negative;
however, there's no such thing is done in clone3() code path, and that can
break at least thread_group_leader.
Checking user-passed exit_signal against ~CSIGNAL mask solves both of
these problems.
[1] https://lkml.org/lkml/2019/9/10/467
* kernel/fork.c (copy_clone_args_from_user): Fail with -EINVAL if
args.exit_signal has bits set outside CSIGNAL mask. (_do_fork): Note that
exit_signal is expected to be checked for the sanity by the caller.
Link: http://lkml.kernel.org/r/20190910175852.GA15572@xxxxxxxxxxxxxxxxx
Fixes: 7f192e3cd316 ("fork: add clone3")
Signed-off-by: Eugene Syromiatnikov <esyr@xxxxxxxxxx>
Reported-by: Oleg Nesterov <oleg@xxxxxxxxxx>
Cc: Christian Brauner <christian@xxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: "Peter Zijlstra (Intel)" <peterz@xxxxxxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: "Dmitry V. Levin" <ldv@xxxxxxxxxxxx>
Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
kernel/fork.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/kernel/fork.c~fork-check-exit_signal-passed-in-clone3-call
+++ a/kernel/fork.c
@@ -2338,6 +2338,8 @@ struct mm_struct *copy_init_mm(void)
*
* It copies the process, and if successful kick-starts
* it and waits for it to finish using the VM if required.
+ *
+ * args->exit_signal is expected to be checked for sanity by the caller.
*/
long _do_fork(struct kernel_clone_args *args)
{
@@ -2562,6 +2564,16 @@ noinline static int copy_clone_args_from
if (copy_from_user(&args, uargs, size))
return -EFAULT;
+ /*
+ * exit_signal is confined to CSIGNAL mask in legacy syscalls,
+ * so it is used unchecked deeper in syscall handling routines;
+ * moreover, copying to struct kernel_clone_args.exit_signals
+ * trims higher 32 bits, so it is has to be checked that they
+ * are zero.
+ */
+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
+ return -EINVAL;
+
*kargs = (struct kernel_clone_args){
.flags = args.flags,
.pidfd = u64_to_user_ptr(args.pidfd),
_
Patches currently in -mm which might be from esyr@xxxxxxxxxx are
fork-check-exit_signal-passed-in-clone3-call.patch
