Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp921876ybe; Wed, 11 Sep 2019 06:50:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqx6YYpoIJgHCfYhF4zoPfqvi5pDhLKi7A7zdIz9K7uvQHHqu6pGYMy9tVuI2yo9dfiUv4LJ X-Received: by 2002:a50:e701:: with SMTP id a1mr30702703edn.108.1568209818624; Wed, 11 Sep 2019 06:50:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568209818; cv=none; d=google.com; s=arc-20160816; b=SmophjKNQ+3JH+Xwjq9XFhjcIfAsHhwNnJqKFghQmyJmAuT/AzdGFEBYX1Np2pGltm 3m6HlJP9n2pK6ZyoJ/1F/dgJOJ/5VdCwkvp909RpBmvph6GnOwkA6HVKzs2rZb24of4q 05XhrPmPhgeDQk02fNr+1QoK6itlikN+KJ5KW63fhXnttiNXkc1PB3Ua3C7prOXt7nlJ OYTwmSqKUyR4eUdyRd1Gt9itjzU59vQES5iRFKO7Oj9MrUQO5Bz7lmTErRK59Z5C91oI maYxC3vO9cGVKk+qXVi3a7EG68UM767cglFALxxr1CEC/gCvDaO28rXly8yTz9SDt2x9 fT0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=vVZ9TY4/U+ol8ZQyeJ1avJKvcK+IK1na7YV7XTHAlpA=; b=T8AKGbB32Yff3u5gWDADsIh3aC1rPBTnLAEZ8VfO7EcRfpdcMWbAceU4fy05CneaXv 3ZHH5tPb005vRMd76cgO4DnGJGj1fNG1uMyhftGlXkGGcYInJ8z1+rLqk7aVPkQ09Ncf 6fVmEP/of4LtcSfH02sN5d7vkHgzH55q4gttORyuaF5PRVnWqWAJWvqZiv86y/CHYuky Pr/OtCHAZQMAaeAbg0ndLWiPgtS28bVUre5vFsx4JbqB2YjfYYGsyQPZ3L4SZ56MktFy hnH5fc6yDcWKFpqCb32byM6Z2dYWa2tCydbe3JdYLpSXuPgCuRjvMJF+VXSR/3lML+MZ vTfQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q18si10864699ejf.153.2019.09.11.06.49.54; Wed, 11 Sep 2019 06:50:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728148AbfIKNrs (ORCPT + 99 others); Wed, 11 Sep 2019 09:47:48 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:56788 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728136AbfIKNrs (ORCPT ); Wed, 11 Sep 2019 09:47:48 -0400 Received: from [148.69.85.38] (helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1i82yH-0005OE-Bv; Wed, 11 Sep 2019 13:47:45 +0000 Date: Wed, 11 Sep 2019 15:47:44 +0200 From: Christian Brauner To: Oleg Nesterov Cc: Eugene Syromiatnikov , linux-kernel@vger.kernel.org, Andrew Morton , "Peter Zijlstra (Intel)" , Ingo Molnar , "Dmitry V. Levin" , Eric Biederman Subject: Re: [PATCH v2] fork: check exit_signal passed in clone3() call Message-ID: <20190911134742.fuktu2wmwavfc3go@wittgenstein> References: <20190910175852.GA15572@asgard.redhat.com> <20190911133119.GA17580@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20190911133119.GA17580@redhat.com> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 11, 2019 at 03:31:20PM +0200, Oleg Nesterov wrote: > On 09/10, Eugene Syromiatnikov wrote: > > > > --- a/kernel/fork.c > > +++ b/kernel/fork.c > > @@ -2338,6 +2338,8 @@ struct mm_struct *copy_init_mm(void) > > * > > * It copies the process, and if successful kick-starts > > * it and waits for it to finish using the VM if required. > > + * > > + * args->exit_signal is expected to be checked for sanity by the caller. > > not sure this comment is really useful but it doesn't hurt > > > long _do_fork(struct kernel_clone_args *args) > > { > > @@ -2562,6 +2564,16 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs, > > if (copy_from_user(&args, uargs, size)) > > return -EFAULT; > > > > + /* > > + * exit_signal is confined to CSIGNAL mask in legacy syscalls, > > + * so it is used unchecked deeper in syscall handling routines; > > + * moreover, copying to struct kernel_clone_args.exit_signals > > + * trims higher 32 bits, so it is has to be checked that they > > + * are zero. > > + */ > > + if (unlikely(args.exit_signal & ~((u64)CSIGNAL))) > > + return -EINVAL; > > OK, agreed. As you pointed out, this doesn't guarantee valid_signal(exit_signal). > But we do no really care as long as it is non-negative, it acts as exit_signal==0. > > I have no idea if we want to deny exit_signal >= _NSIG in clone3(), this was always > allowed... > > I think this needs the "CC: stable" tag. No, I don't think so. clone3() is not in any released kernel. It'll be released with 5.3. So we should just try and have this picked up this week before the release. I'm going to send a pr for this today hopefully. (Sorry for the delay, conferencing makes it harder to reply to mail.) Reviewed-by: Christian Brauner > > Acked-by: Oleg Nesterov >