From: "Dmitry V. Levin" <ldv@altlinux.org>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Eugene Syromiatnikov <esyr@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, Oleg Nesterov <oleg@redhat.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>,
Eric Biederman <ebiederm@xmission.com>
Subject: Re: [PATCH v2] fork: check exit_signal passed in clone3() call
Date: Wed, 11 Sep 2019 18:08:57 +0300 [thread overview]
Message-ID: <20190911150857.GA23868@altlinux.org> (raw)
In-Reply-To: <20190911145446.vkcqy2shldi5ibb5@wittgenstein>
On Wed, Sep 11, 2019 at 04:54:47PM +0200, Christian Brauner wrote:
> On Wed, Sep 11, 2019 at 03:32:13PM +0100, Eugene Syromiatnikov wrote:
> > On Wed, Sep 11, 2019 at 04:16:36PM +0200, Christian Brauner wrote:
> > > On Wed, Sep 11, 2019 at 03:52:36PM +0200, Christian Brauner wrote:
> > > > On Wed, Sep 11, 2019 at 06:48:52AM -0700, Andrew Morton wrote:
> > > > > What are the user-visible runtime effects of this bug?
> >
> > The userspace can set -1 as an exit_signal, and that will break process
> > signalling and reaping.
> >
> > > > > Relatedly, should this fix be backported into -stable kernels? If so, why?
> > > >
> > > > No, as I said in my other mail clone3() is not in any released kernel
> > > > yet. clone3() is going to be released in v5.3.
> > >
> > > Sigh, I spoke to soon... Hm, this is placed in _do_fork(). There's a
> > > chance that this might be visible in legacy clone if anyone passes in an
> > > invalid signal greater than NSIG right now somehow, they'd now get
> > > EINVAL if I'm seeing this right.
> > >
> > > So an alternative might be to only fix this in clone3() only right now
> > > and get this patch into 5.3 to not release clone3() with this bug from
> > > legacy clone duplicated.
> > > And we defer the actual legacy clone fix until after next merge window
> > > having it stew in linux-next for a couple of rcs. Distros often pull in
> > > rcs so if anyone notices a regression for legacy clone we'll know about
> > > it... valid_signal() checks at process exit time when the parent is
> > > supposed to be notifed will catch faulty signals anyway so it's not that
> > > big of a deal.
> >
> > As the patch is written, only copy_clone_args_from_user is touched (which
> > is used only by clone3 and not legacy clone), and the check added
>
> Great!
>
> > replicates legacy clone behaviour: userspace can set 0..CSIGNAL
> > as an exit_signal. Having ability to set exit_signal in NSIG..CSIGNAL
>
> Hm. The way I see it for clone3() it would make sense to only have <
> NSIG right away. valid_signal() won't let through anything else
> anyway... Since clone3() isn't out yet it doesn't make sense to
> replicate the (buggy) behavior of legacy clone, right?
I agree, let's have a proper exit_signal check in the new syscall
from the beginning.
It should be as simple as
if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
!valid_signal(args.exit_signal)))
return -EINVAL;
shouldn't it?
--
ldv
next prev parent reply other threads:[~2019-09-11 15:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-10 17:58 [PATCH v2] fork: check exit_signal passed in clone3() call Eugene Syromiatnikov
2019-09-11 13:31 ` Oleg Nesterov
2019-09-11 13:47 ` Christian Brauner
2019-09-11 13:48 ` Andrew Morton
2019-09-11 13:52 ` Christian Brauner
2019-09-11 14:16 ` Christian Brauner
2019-09-11 14:32 ` Eugene Syromiatnikov
2019-09-11 14:54 ` Christian Brauner
2019-09-11 15:08 ` Dmitry V. Levin [this message]
2019-09-11 15:20 ` Eugene Syromiatnikov
2019-09-11 15:31 ` Christian Brauner
2019-09-13 9:07 ` Christian Brauner
2019-09-11 17:32 ` Eric W. Biederman
-- strict thread matches above, loose matches on Subject: below --
2019-09-10 17:58 Eugene Syromiatnikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190911150857.GA23868@altlinux.org \
--to=ldv@altlinux.org \
--cc=akpm@linux-foundation.org \
--cc=christian.brauner@ubuntu.com \
--cc=ebiederm@xmission.com \
--cc=esyr@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.