All of lore.kernel.org
 help / color / mirror / Atom feed
From: Oleg Nesterov <oleg@redhat.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: mm-commits@vger.kernel.org, vschneid@redhat.com,
	vincent.guittot@linaro.org, surenb@google.com,
	stable@vger.kernel.org, rppt@kernel.org, rostedt@goodmis.org,
	peterz@infradead.org, mingo@redhat.com, mhocko@suse.com,
	mgorman@suse.de, lorenzo.stoakes@oracle.com,
	liam.howlett@oracle.com, kees@kernel.org, Kartikey406@gmail.com,
	juri.lelli@redhat.com, dietmar.eggemann@arm.com,
	david@kernel.org, bsegall@google.com, brauner@kernel.org
Subject: Re: + kernel-fork-validate-exit_signal-in-clone-syscall.patch added to mm-nonmm-unstable branch
Date: Mon, 9 Mar 2026 10:58:04 +0100	[thread overview]
Message-ID: <aa6ZrCZoEYgsPXka@redhat.com> (raw)
In-Reply-To: <20260308213116.7E884C116C6@smtp.kernel.org>

On 03/08, Andrew Morton wrote:
>
> From: Deepanshu Kartikey <kartikey406@gmail.com>
> Subject: kernel/fork: validate exit_signal in clone() syscall
> Date: Sat, 7 Mar 2026 12:12:02 +0530
>
> When a child process exits, it sends exit_signal to its parent via
> do_notify_parent().  The clone() syscall constructs exit_signal as:
>
>   (lower_32_bits(clone_flags) & CSIGNAL)
>
> CSIGNAL is 0xff, so values in the range 65-255 are possible.  However,
> valid_signal() only accepts signals up to _NSIG (64 on x86_64), causing a
> WARN_ON in do_notify_parent() when the process exits:
>
>   WARNING: kernel/signal.c:2174 do_notify_parent+0xc7e/0xd70

Aaah. Thanks Deepanshu! My bad, please see below.

> The comment above kernel_clone() states that callers are expected to
> validate exit_signal.

Yes, and man 2 clone says:

      The termination signal is specified in the low byte of flags (clone()) or in cl_args.exit_signal (clone3()).
      If no signal (i.e., zero) is specified, then the parent process is not signaled when the child terminates.

it doesn't document that nonzero non-valid signal acts as .exit_signal == 0.

> --- a/kernel/fork.c~kernel-fork-validate-exit_signal-in-clone-syscall
> +++ a/kernel/fork.c
> @@ -2800,7 +2800,8 @@ SYSCALL_DEFINE5(clone, unsigned long, cl
>  		.stack		= newsp,
>  		.tls		= tls,
>  	};
> -
> +	if (!valid_signal(args.exit_signal))
> +		return -EINVAL;
>  	return kernel_clone(&args);

Well, kernel_clone() has more users which doesn't validate .exit_signal,
say sys_ia32_clone().

we need to move the valid_signal() check from copy_clone_args_from_user()
to kernel_clone() or copy_process()...

So. This should fix my

	[PATCH] do_notify_parent: sanitize the valid_signal() checks
	https://lore.kernel.org/all/aZsfg0Y055yuAvsq@redhat.com/

do_notify_parent-sanitize-the-valid_signal-checks.patch in -mm tree.

Somehow I was very sure that copy_process() paths already have the valid_signal()
check but my memory fooled me.

But this is a user visible change which can cause other bug reports...
Perhaps we should revert do_notify_parent-sanitize-the-valid_signal-checks.patch
and this patch?

Even if I think that the new valid_signal() check "fixes" the undocumented
behaviour, unlikely there is a sane application which passes non-valid exit
signal to sys_clone(). But who knows...

Oleg.


  reply	other threads:[~2026-03-09  9:58 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-08 21:31 + kernel-fork-validate-exit_signal-in-clone-syscall.patch added to mm-nonmm-unstable branch Andrew Morton
2026-03-09  9:58 ` Oleg Nesterov [this message]
2026-03-09 10:38   ` Deepanshu Kartikey
2026-03-09 10:47     ` Oleg Nesterov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa6ZrCZoEYgsPXka@redhat.com \
    --to=oleg@redhat.com \
    --cc=Kartikey406@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=brauner@kernel.org \
    --cc=bsegall@google.com \
    --cc=david@kernel.org \
    --cc=dietmar.eggemann@arm.com \
    --cc=juri.lelli@redhat.com \
    --cc=kees@kernel.org \
    --cc=liam.howlett@oracle.com \
    --cc=lorenzo.stoakes@oracle.com \
    --cc=mgorman@suse.de \
    --cc=mhocko@suse.com \
    --cc=mingo@redhat.com \
    --cc=mm-commits@vger.kernel.org \
    --cc=peterz@infradead.org \
    --cc=rostedt@goodmis.org \
    --cc=rppt@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=surenb@google.com \
    --cc=vincent.guittot@linaro.org \
    --cc=vschneid@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.