From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E040C43467 for ; Sun, 18 Oct 2020 19:23:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C720D207DE for ; Sun, 18 Oct 2020 19:23:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603049015; bh=zT4v5fz+1q44aG5bmJO+Y0LEDcuDSKe/4N9X5rUdaCQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=JvsV+mlNqZLeEOYnyUCcATU8UggEO/95fBIqyhh3PN8atFciG4RWsHtCwORUFM/JO c515vKdxexpQzoku1foMvKzCmiXf7R22mCYYoCCqY4CK0hcopgnbLP1hsMyQINRBEi CMs4QWoDi+drgnjOR3LhBD4AYfhb8Rk45G7hjow8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729302AbgJRTXd (ORCPT ); Sun, 18 Oct 2020 15:23:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:36048 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730085AbgJRTW7 (ORCPT ); Sun, 18 Oct 2020 15:22:59 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B0B252231B; Sun, 18 Oct 2020 19:22:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603048979; bh=zT4v5fz+1q44aG5bmJO+Y0LEDcuDSKe/4N9X5rUdaCQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AL/t7475LQoAsRWSGDVDc+6VkXhfqMMecJXovpquRS4H6FDIxAZwDo/xIoRvEHovU yJAs5lkgiGizg1+DIWFNO3xw99nzAUcxc/GGPtPM/8IwI41HgXfd+858ae+hKSVHc0 Y5z/uZVFoRa7mdKtt+KGuANbuVT7KlnJ0Xqf6eOA= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Rich Felker , Kees Cook , Sasha Levin Subject: [PATCH AUTOSEL 5.4 21/80] seccomp: kill process instead of thread for unknown actions Date: Sun, 18 Oct 2020 15:21:32 -0400 Message-Id: <20201018192231.4054535-21-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201018192231.4054535-1-sashal@kernel.org> References: <20201018192231.4054535-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rich Felker [ Upstream commit 4d671d922d51907bc41f1f7f2dc737c928ae78fd ] Asynchronous termination of a thread outside of the userspace thread library's knowledge is an unsafe operation that leaves the process in an inconsistent, corrupt, and possibly unrecoverable state. In order to make new actions that may be added in the future safe on kernels not aware of them, change the default action from SECCOMP_RET_KILL_THREAD to SECCOMP_RET_KILL_PROCESS. Signed-off-by: Rich Felker Link: https://lore.kernel.org/r/20200829015609.GA32566@brightrain.aerifal.cx [kees: Fixed up coredump selection logic to match] Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- kernel/seccomp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index e0fd972356539..3f622803f11a8 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -895,7 +895,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, default: seccomp_log(this_syscall, SIGSYS, action, true); /* Dump core only if this is the last remaining thread. */ - if (action == SECCOMP_RET_KILL_PROCESS || + if (action != SECCOMP_RET_KILL_THREAD || get_nr_threads(current) == 1) { kernel_siginfo_t info; @@ -905,10 +905,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, seccomp_init_siginfo(&info, this_syscall, data); do_coredump(&info); } - if (action == SECCOMP_RET_KILL_PROCESS) - do_group_exit(SIGSYS); - else + if (action == SECCOMP_RET_KILL_THREAD) do_exit(SIGSYS); + else + do_group_exit(SIGSYS); } unreachable(); -- 2.25.1