Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp958445ybe; Wed, 11 Sep 2019 07:19:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqw8vFUycm8UBfZeZ5VcIN5mZjMDPHzdqTIXJW0mRqLQNlk7lV2QfB9Ifrfl8HS3+ocpaxfc X-Received: by 2002:a17:906:349b:: with SMTP id g27mr30035617ejb.130.1568211554074; Wed, 11 Sep 2019 07:19:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568211554; cv=none; d=google.com; s=arc-20160816; b=g0vjZuc/y3thxPfxjMKedqld+VwZd7U7Qf6PJ5ntlJeZnHHFq8wADqnpKOMLOF8VOv xBr/UA6IAzRDZ5nz99TYNjxxTFKJnKAAFS7i2tWKWmvEmINOzYzNsGkdY4+UyrLYqsBv DU9A+nEXbLJeOKNIxTH/sx9miLNlMFeDtt0P68jsiJsWLmtUeRkVthND2n1PJYl8AHev RAD2xh0RGoeeS5QCQ1jGqQbRBHmSQ4fWengPYJy+95JFtppqpQtDDEOl/dV7/5hdOiqd Xmi5Ap4hvuyV12JN1jRpviJLKUuTA/IogzTNqrO/kOE6peZT5v6Qe7zhBDjrOVrKwvl9 mEoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=THqrYOIqAmRzW3BcCqnERCZihIwxZM1Q2zpYht3BhRs=; b=cDJc8BjMEslEm0dwrW26+WS4aR6ZBpzikgwhTgCzNU7xZym0MibV1yhl7H0htTt4cR XbJZdL4Gm4JKYtwQ+UskQQQ2qhz42/941rggGOunfCCSC8fzS1ui/d/niPlvMtUof7ec 5oqHb4/INoHvtfPRTF9e0z38HnphD7nVqUh9FUw2M07POhSr3gJtRHjrErmCfIaaApAZ 1v2q3Ed0Qb2RwWFFUi6ZpPmEjqs584eB0/f+0uLIHmVb0Q1WbTUq3NDbmXPrwGWrFWNF 8leGbZJPOS3jKJD3Z9IpJj/nJzdd65quRSaDgtMGiYVeyDgjLJEjcu3j7o6q9QszjCse Kt6A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c4si14497054edb.387.2019.09.11.07.18.49; Wed, 11 Sep 2019 07:19:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728183AbfIKOQk (ORCPT + 99 others); Wed, 11 Sep 2019 10:16:40 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:58262 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726341AbfIKOQj (ORCPT ); Wed, 11 Sep 2019 10:16:39 -0400 Received: from [148.69.85.38] (helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1i83QC-0007xr-VZ; Wed, 11 Sep 2019 14:16:37 +0000 Date: Wed, 11 Sep 2019 16:16:36 +0200 From: Christian Brauner To: Andrew Morton Cc: Eugene Syromiatnikov , linux-kernel@vger.kernel.org, Oleg Nesterov , "Peter Zijlstra (Intel)" , Ingo Molnar , "Dmitry V. Levin" , Eric Biederman Subject: Re: [PATCH v2] fork: check exit_signal passed in clone3() call Message-ID: <20190911141635.lafrcjwvbhjm3ezy@wittgenstein> References: <20190910175852.GA15572@asgard.redhat.com> <20190911064852.9f236d4c201b50e14d717c14@linux-foundation.org> <20190911135236.73l6icwxqff7fkw5@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20190911135236.73l6icwxqff7fkw5@wittgenstein> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 11, 2019 at 03:52:36PM +0200, Christian Brauner wrote: > On Wed, Sep 11, 2019 at 06:48:52AM -0700, Andrew Morton wrote: > > On Tue, 10 Sep 2019 18:58:52 +0100 Eugene Syromiatnikov wrote: > > > > > Previously, higher 32 bits of exit_signal fields were lost when > > > copied to the kernel args structure (that uses int as a type for the > > > respective field). Moreover, as Oleg has noted[1], exit_signal is used > > > unchecked, so it has to be checked for sanity before use; for the legacy > > > syscalls, applying CSIGNAL mask guarantees that it is at least non-negative; > > > however, there's no such thing is done in clone3() code path, and that can > > > break at least thread_group_leader. > > > > > > Checking user-passed exit_signal against ~CSIGNAL mask solves both > > > of these problems. > > > > > > [1] https://lkml.org/lkml/2019/9/10/467 > > > > > > * kernel/fork.c (copy_clone_args_from_user): Fail with -EINVAL if > > > args.exit_signal has bits set outside CSIGNAL mask. > > > (_do_fork): Note that exit_signal is expected to be checked for the > > > sanity by the caller. > > > > > > Fixes: 7f192e3cd316 ("fork: add clone3") > > > > What are the user-visible runtime effects of this bug? > > > > Relatedly, should this fix be backported into -stable kernels? If so, why? > > No, as I said in my other mail clone3() is not in any released kernel > yet. clone3() is going to be released in v5.3. Sigh, I spoke to soon... Hm, this is placed in _do_fork(). There's a chance that this might be visible in legacy clone if anyone passes in an invalid signal greater than NSIG right now somehow, they'd now get EINVAL if I'm seeing this right. So an alternative might be to only fix this in clone3() only right now and get this patch into 5.3 to not release clone3() with this bug from legacy clone duplicated. And we defer the actual legacy clone fix until after next merge window having it stew in linux-next for a couple of rcs. Distros often pull in rcs so if anyone notices a regression for legacy clone we'll know about it... valid_signal() checks at process exit time when the parent is supposed to be notifed will catch faulty signals anyway so it's not that big of a deal. Christian