| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Sep 2019 16:18:01 +0100
From: Eugene Syromiatnikov <esyr@...hat.com>
To: Christian Brauner <christian.brauner@...ntu.com>
Cc: Oleg Nesterov <oleg@...hat.com>, linux-kernel@...r.kernel.org,
Christian Brauner <christian@...uner.io>,
Andrew Morton <akpm@...ux-foundation.org>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
Ingo Molnar <mingo@...nel.org>,
"Dmitry V. Levin" <ldv@...linux.org>,
Eric Biederman <ebiederm@...ssion.com>
Subject: Re: [PATCH] fork: fail on non-zero higher 32 bits of args.exit_signal
On Tue, Sep 10, 2019 at 04:46:15PM +0200, Christian Brauner wrote:
> On Tue, Sep 10, 2019 at 04:39:44PM +0200, Oleg Nesterov wrote:
> > On 09/10, Christian Brauner wrote:
> > > On Tue, Sep 10, 2019 at 03:10:48PM +0200, Christian Brauner wrote:
> > > > On Tue, Sep 10, 2019 at 03:09:35PM +0200, Christian Brauner wrote:
> > > > > On Tue, Sep 10, 2019 at 02:44:41PM +0200, Oleg Nesterov wrote:
> > > > > > On 09/10, Eugene Syromiatnikov wrote:
> > > > > > >
> > > > > > > --- a/kernel/fork.c
> > > > > > > +++ b/kernel/fork.c
> > > > > > > @@ -2562,6 +2562,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
> > > > > > > if (copy_from_user(&args, uargs, size))
> > > > > > > return -EFAULT;
> > > > > > >
> > > > > > > + if (unlikely(((unsigned int)args.exit_signal) != args.exit_signal))
> > > > > > > + return -EINVAL;
> > > > > >
> > > > > > Hmm. Unless I am totally confused you found a serious bug...
> > > > > >
> > > > > > Without CLONE_THREAD/CLONE_PARENT copy_process() blindly does
> > > > > >
> > > > > > p->exit_signal = args->exit_signal;
> > > > > >
> > > > > > the valid_signal(sig) check in do_notify_parent() mostly saves us, but we
> > > > > > must not allow child->exit_signal < 0, if nothing else this breaks
> > > > > > thread_group_leader().
> > > > > >
> > > > > > And afaics this patch doesn't fix this? I think we need the valid_signal()
> > > > > > check...
> > > > >
> > > > > Thanks for sending this patch so quickly after our conversation
> > > > > yesterday, Eugene!
> > > > > We definitely want valid_signal() to verify the signal is ok.
> > >
> > > So we could do your check in copy_clone_args_from_user(), and then we do
> > > another valid_signal() check in clone3_args_valid()? We could do the
> > > latter in copy_clone_args_from_user() too but it's nicer to do it along
> > > the other checks in clone3_args_valid().
> >
> > I am fine either way. Sure, we can add valid_signal() into clone3_args_valid(),
> > but then I'd ask to simplify the "overflow" check above. Something like
> >
> > if (args.exit_signal > UINT_MAX)
> > return -EINVAL;
> >
> > looks much more readable to me.
> >
> >
> > Or we can simply do
> >
> > if (args.exit_signal & ~((u64)CSIGNAL))
> > return -EINVAL;
> >
> > in copy_clone_args_from_user() and forget about all problems.
>
> Both are fine with me. The latter might have the advantage that we catch
> both legacy clone and clone3. I think Eugene prefers this as well.
Unfortunately, it doesn't. I think, the best place for the check is
either in _do_fork or copy_process itself; however, it's quite messy as
that way it's detached from the other checks, but, at the same time,
there are a lot of code paths (like the one in arch/x86/ia32/sys_ia32.c),
and it's kinda obscure that the caller of _do_fork has to check that
exit_syscall is positive itself.
> Christian
Powered by blists - more mailing lists