From: syzbot <syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] kernel/fork: validate exit_signal in clone() syscall
Date: Fri, 06 Mar 2026 21:28:31 -0800 [thread overview]
Message-ID: <69abb77f.050a0220.13f275.003e.GAE@google.com> (raw)
In-Reply-To: <69a313aa.050a0220.3a55be.0042.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] kernel/fork: validate exit_signal in clone() syscall
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
The clone() syscall constructs exit_signal as:
(lower_32_bits(clone_flags) & CSIGNAL)
CSIGNAL is 0xff, so values in the range 65-255 are possible.
However, valid_signal() only accepts signals up to _NSIG (64 on
x86_64). This allows a userspace process to store an invalid
exit_signal in task_struct->exit_signal, which later triggers a
WARN_ON(!valid_signal(sig)) in do_notify_parent() when the process
exits:
WARNING: kernel/signal.c:2174 do_notify_parent+0xc7e/0xd70
The comment above kernel_clone() states that callers are expected
to validate exit_signal before calling kernel_clone(). clone3()
correctly does this:
if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
!valid_signal(args.exit_signal)))
return -EINVAL;
The clone() syscall has no such check. Add the missing
valid_signal() check to the clone() syscall handler, consistent
with the existing validation in clone3().
Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
kernel/fork.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 947a8dbce06a..dbe26ac6ca10 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2845,7 +2845,8 @@ SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp,
.stack = newsp,
.tls = tls,
};
-
+ if (!valid_signal(args.exit_signal))
+ return -EINVAL;
return kernel_clone(&args);
}
#endif
--
2.43.0
next prev parent reply other threads:[~2026-03-07 5:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-28 16:11 [syzbot] [kernel?] WARNING in do_notify_parent syzbot
2026-03-03 6:21 ` syzbot
2026-03-07 5:28 ` syzbot [this message]
2026-03-16 8:21 ` Forwarded: [PATCH] kernel/fork: validate exit_signal in kernel_clone() syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69abb77f.050a0220.13f275.003e.GAE@google.com \
--to=syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.