From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE5F3C388EB for ; Sun, 18 Oct 2020 19:35:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 968F7204FD for ; Sun, 18 Oct 2020 19:35:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603049711; bh=Rucu7OJgs8SLopnys5NQs8qU+P1bU/2LgNi4mY+IXtY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=QR/27xrBjjZxPsUATWHbMYqWPPnoLEsM/XbJ6jbnDiIckGTp0OB3EydPHI+42fytj 42XRyAyQtyXyGGXc29GBwm6LlKOY5ID9wkUPEKBdZo2NYA+oeJgSQoJIjoxW43pKNl RjObXaNX8NTZVk0QQCFCZi/WcNgyvdzGRTr8Vsdc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731442AbgJRTZw (ORCPT ); Sun, 18 Oct 2020 15:25:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:40698 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731418AbgJRTZu (ORCPT ); Sun, 18 Oct 2020 15:25:50 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E138922384; Sun, 18 Oct 2020 19:25:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603049149; bh=Rucu7OJgs8SLopnys5NQs8qU+P1bU/2LgNi4mY+IXtY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=T5w/cx6m8hkNtDIBL1hIoV2Uh/Z9/hhpEDD+XoEA1z/yCvqWu88dNGpzk/NI1KytC 3fgZXvM1vlGsWcelD0ztAk+OKR/glcWi1XGQI7QL7tzsP3up1xecmUMK+B4t03fHLl xATpeaLKLn4WLPNZujbPLgkI1/PLpqCWIo/z5GOI= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Rich Felker , Kees Cook , Sasha Levin Subject: [PATCH AUTOSEL 4.14 15/52] seccomp: kill process instead of thread for unknown actions Date: Sun, 18 Oct 2020 15:24:52 -0400 Message-Id: <20201018192530.4055730-15-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201018192530.4055730-1-sashal@kernel.org> References: <20201018192530.4055730-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rich Felker [ Upstream commit 4d671d922d51907bc41f1f7f2dc737c928ae78fd ] Asynchronous termination of a thread outside of the userspace thread library's knowledge is an unsafe operation that leaves the process in an inconsistent, corrupt, and possibly unrecoverable state. In order to make new actions that may be added in the future safe on kernels not aware of them, change the default action from SECCOMP_RET_KILL_THREAD to SECCOMP_RET_KILL_PROCESS. Signed-off-by: Rich Felker Link: https://lore.kernel.org/r/20200829015609.GA32566@brightrain.aerifal.cx [kees: Fixed up coredump selection logic to match] Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- kernel/seccomp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 075e344a87c3f..03a49d9eba514 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -748,7 +748,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, default: seccomp_log(this_syscall, SIGSYS, action, true); /* Dump core only if this is the last remaining thread. */ - if (action == SECCOMP_RET_KILL_PROCESS || + if (action != SECCOMP_RET_KILL_THREAD || get_nr_threads(current) == 1) { siginfo_t info; @@ -758,10 +758,10 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, seccomp_init_siginfo(&info, this_syscall, data); do_coredump(&info); } - if (action == SECCOMP_RET_KILL_PROCESS) - do_group_exit(SIGSYS); - else + if (action == SECCOMP_RET_KILL_THREAD) do_exit(SIGSYS); + else + do_group_exit(SIGSYS); } unreachable(); -- 2.25.1