From: Christian Brauner <christian.brauner@ubuntu.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Eugene Syromiatnikov <esyr@redhat.com>,
linux-kernel@vger.kernel.org, Oleg Nesterov <oleg@redhat.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>,
"Dmitry V. Levin" <ldv@altlinux.org>,
Eric Biederman <ebiederm@xmission.com>
Subject: Re: [PATCH v2] fork: check exit_signal passed in clone3() call
Date: Wed, 11 Sep 2019 15:52:37 +0200 [thread overview]
Message-ID: <20190911135236.73l6icwxqff7fkw5@wittgenstein> (raw)
In-Reply-To: <20190911064852.9f236d4c201b50e14d717c14@linux-foundation.org>
On Wed, Sep 11, 2019 at 06:48:52AM -0700, Andrew Morton wrote:
> On Tue, 10 Sep 2019 18:58:52 +0100 Eugene Syromiatnikov <esyr@redhat.com> wrote:
>
> > Previously, higher 32 bits of exit_signal fields were lost when
> > copied to the kernel args structure (that uses int as a type for the
> > respective field). Moreover, as Oleg has noted[1], exit_signal is used
> > unchecked, so it has to be checked for sanity before use; for the legacy
> > syscalls, applying CSIGNAL mask guarantees that it is at least non-negative;
> > however, there's no such thing is done in clone3() code path, and that can
> > break at least thread_group_leader.
> >
> > Checking user-passed exit_signal against ~CSIGNAL mask solves both
> > of these problems.
> >
> > [1] https://lkml.org/lkml/2019/9/10/467
> >
> > * kernel/fork.c (copy_clone_args_from_user): Fail with -EINVAL if
> > args.exit_signal has bits set outside CSIGNAL mask.
> > (_do_fork): Note that exit_signal is expected to be checked for the
> > sanity by the caller.
> >
> > Fixes: 7f192e3cd316 ("fork: add clone3")
>
> What are the user-visible runtime effects of this bug?
>
> Relatedly, should this fix be backported into -stable kernels? If so, why?
No, as I said in my other mail clone3() is not in any released kernel
yet. clone3() is going to be released in v5.3.
Christian
next prev parent reply other threads:[~2019-09-11 13:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-10 17:58 [PATCH v2] fork: check exit_signal passed in clone3() call Eugene Syromiatnikov
2019-09-11 13:31 ` Oleg Nesterov
2019-09-11 13:47 ` Christian Brauner
2019-09-11 13:48 ` Andrew Morton
2019-09-11 13:52 ` Christian Brauner [this message]
2019-09-11 14:16 ` Christian Brauner
2019-09-11 14:32 ` Eugene Syromiatnikov
2019-09-11 14:54 ` Christian Brauner
2019-09-11 15:08 ` Dmitry V. Levin
2019-09-11 15:20 ` Eugene Syromiatnikov
2019-09-11 15:31 ` Christian Brauner
2019-09-13 9:07 ` Christian Brauner
2019-09-11 17:32 ` Eric W. Biederman
-- strict thread matches above, loose matches on Subject: below --
2019-09-10 17:58 Eugene Syromiatnikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190911135236.73l6icwxqff7fkw5@wittgenstein \
--to=christian.brauner@ubuntu.com \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=esyr@redhat.com \
--cc=ldv@altlinux.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.