From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60C37C43457 for ; Sun, 18 Oct 2020 19:52:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 26DAC20657 for ; Sun, 18 Oct 2020 19:52:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603050767; bh=HLWBIR0/H8QKOZw/ZtsleckUwjCcGzw2/Rbb7YySm/s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=hk5qh+xs1p7hKZI43ROtq+uK3qAE3JmBT/zPU/omQuBIwhWa2nJSydXqAJB8aMDGl Lflv7Eq6yg0ftakDTNMI7BeSdrMzqHOL1n+gbZLcEDjk3gFNHJULAoi1bxbhS5Nnye e4ekw0RYx7x3MD8AsLclWUOJTS848CiexvinuAkM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729749AbgJRTwq (ORCPT ); Sun, 18 Oct 2020 15:52:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:60956 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729065AbgJRTU6 (ORCPT ); Sun, 18 Oct 2020 15:20:58 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 91310222B9; Sun, 18 Oct 2020 19:20:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603048858; bh=HLWBIR0/H8QKOZw/ZtsleckUwjCcGzw2/Rbb7YySm/s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=B+LTOZMw/naa7kQ3cNv1InI0wkprRXt2amld8pw3X22N/X9FvRinoxCHXwTJr1+D+ Y8V+GFoX1xmGryL2zcFRV0xlfvvs8E6DZxvLjHwqIAb54B6JYdSX3n4d7kJhFp+O3d 4PA+82jI3vI/yW1BcMIZ1PVGYrV7G6coXEjYOzdU= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Rich Felker , Kees Cook , Sasha Levin Subject: [PATCH AUTOSEL 5.8 025/101] seccomp: kill process instead of thread for unknown actions Date: Sun, 18 Oct 2020 15:19:10 -0400 Message-Id: <20201018192026.4053674-25-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201018192026.4053674-1-sashal@kernel.org> References: <20201018192026.4053674-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rich Felker [ Upstream commit 4d671d922d51907bc41f1f7f2dc737c928ae78fd ] Asynchronous termination of a thread outside of the userspace thread library's knowledge is an unsafe operation that leaves the process in an inconsistent, corrupt, and possibly unrecoverable state. In order to make new actions that may be added in the future safe on kernels not aware of them, change the default action from SECCOMP_RET_KILL_THREAD to SECCOMP_RET_KILL_PROCESS. Signed-off-by: Rich Felker Link: https://lore.kernel.org/r/20200829015609.GA32566@brightrain.aerifal.cx [kees: Fixed up coredump selection logic to match] Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- kernel/seccomp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 54cf84bac3c9b..af1e43ddb9401 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -908,7 +908,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, default: seccomp_log(this_syscall, SIGSYS, action, true); /* Dump core only if this is the last remaining thread. */ - if (action == SECCOMP_RET_KILL_PROCESS || + if (action != SECCOMP_RET_KILL_THREAD || get_nr_threads(current) == 1) { kernel_siginfo_t info; @@ -918,10 +918,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, seccomp_init_siginfo(&info, this_syscall, data); do_coredump(&info); } - if (action == SECCOMP_RET_KILL_PROCESS) - do_group_exit(SIGSYS); - else + if (action == SECCOMP_RET_KILL_THREAD) do_exit(SIGSYS); + else + do_group_exit(SIGSYS); } unreachable(); -- 2.25.1