On 09/10, Eugene Syromiatnikov wrote:
>
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -2338,6 +2338,8 @@ struct mm_struct *copy_init_mm(void)
> *
> * It copies the process, and if successful kick-starts
> * it and waits for it to finish using the VM if required.
> + *
> + * args->exit_signal is expected to be checked for sanity by the caller.
not sure this comment is really useful but it doesn't hurt
> long _do_fork(struct kernel_clone_args *args)
> {
> @@ -2562,6 +2564,16 @@ noinline static int copy_clone_args_from_user(struct
> kernel_clone_args *kargs,
> if (copy_from_user(&args, uargs, size))
> return -EFAULT;
>
> + /*
> + * exit_signal is confined to CSIGNAL mask in legacy syscalls,
> + * so it is used unchecked deeper in syscall handling routines;
> + * moreover, copying to struct kernel_clone_args.exit_signals
> + * trims higher 32 bits, so it is has to be checked that they
> + * are zero.
> + */
> + if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
> + return -EINVAL;
OK, agreed. As you pointed out, this doesn't guarantee
valid_signal(exit_signal).
But we do no really care as long as it is non-negative, it acts as
exit_signal==0.
I have no idea if we want to deny exit_signal >= _NSIG in clone3(), this was
always
allowed...
I think this needs the "CC: stable" tag.
Acked-by: Oleg Nesterov <o...@redhat.com>
