[PATCH 3/3] pidfs: don't report pidfd_info fields that won't fit in the user buffer

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Christian Brauner <brauner@kernel.org>
To: linux-fsdevel@vger.kernel.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Jan Kara <jack@suse.cz>,
	 linux-kernel@vger.kernel.org,
	 "Christian Brauner (Amutable)" <brauner@kernel.org>
Subject: [PATCH 3/3] pidfs: don't report pidfd_info fields that won't fit in the user buffer
Date: Mon, 20 Apr 2026 15:32:37 +0200	[thread overview]
Message-ID: <20260420-work-pidfs-v1-3-4bd614e1cb33@kernel.org> (raw)
In-Reply-To: <20260420-work-pidfs-v1-0-4bd614e1cb33@kernel.org>

The UAPI documentation for struct pidfd_info promises that if the
structure provided by userspace is too small to contain a field, the
kernel will not set the corresponding bit in the returned mask.

The kernel violates this contract: it sets PIDFD_INFO_COREDUMP and
PIDFD_INFO_COREDUMP_SIGNAL in the returned mask without checking that
usize >= PIDFD_INFO_SIZE_VER1 (the coredump fields start at offset 64,
beyond a VER0 buffer). Similarly, PIDFD_INFO_SUPPORTED_MASK is set
without checking usize >= PIDFD_INFO_SIZE_VER2.

While copy_struct_to_user() correctly only copies min(usize, ksize)
bytes (so no kernel memory leaks), userspace that trusts the mask bits
as documented may read its own uninitialized buffer and interpret it as
valid data.

Gate each set of mask bits on the user-provided struct being large
enough to actually deliver the corresponding fields.

Fixes: 9e77e4882bae ("pidfs: support retrieving supported pidfd_info flags")
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/pidfs.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/pidfs.c b/fs/pidfs.c
index 2ab8fd2646f0..4c24d2eb7e41 100644
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -375,7 +375,7 @@ static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg)
 		}
 	}

-	if (mask & PIDFD_INFO_COREDUMP) {
+	if ((mask & PIDFD_INFO_COREDUMP) && usize >= PIDFD_INFO_SIZE_VER1) {
 		if (test_bit(PIDFS_ATTR_BIT_COREDUMP, &attr->attr_mask)) {
 			smp_rmb();
 			kinfo.mask |= PIDFD_INFO_COREDUMP | PIDFD_INFO_COREDUMP_SIGNAL;
@@ -400,7 +400,8 @@ static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg)
 	if (!c)
 		return -ESRCH;

-	if ((mask & PIDFD_INFO_COREDUMP) && !kinfo.coredump_mask) {
+	if ((mask & PIDFD_INFO_COREDUMP) && usize >= PIDFD_INFO_SIZE_VER1 &&
+	    !kinfo.coredump_mask) {
 		guard(task_lock)(task);
 		if (task->mm) {
 			unsigned long flags = __mm_flags_get_dumpable(task->mm);
@@ -455,7 +456,7 @@ static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg)
 		return -ESRCH;

 copy_out:
-	if (mask & PIDFD_INFO_SUPPORTED_MASK) {
+	if ((mask & PIDFD_INFO_SUPPORTED_MASK) && usize >= PIDFD_INFO_SIZE_VER2) {
 		kinfo.mask |= PIDFD_INFO_SUPPORTED_MASK;
 		kinfo.supported_mask = PIDFD_INFO_SUPPORTED;
 	}

-- 
2.47.3

next prev parent reply	other threads:[~2026-04-20 13:32 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-20 13:32 [PATCH 0/3] pidfs: small fixes Christian Brauner
2026-04-20 13:32 ` [PATCH 1/3] pidfs: fix PIDFD_THREAD flag loss when opening pidfds via file handles Christian Brauner
2026-04-20 15:39   ` Jan Kara
2026-04-20 13:32 ` [PATCH 2/3] pidfs: return -ENODATA from pidfs_xattr_get() when no xattrs exist Christian Brauner
2026-04-20 15:40   ` Jan Kara
2026-04-20 13:32 ` Christian Brauner [this message]
2026-04-20 15:50   ` [PATCH 3/3] pidfs: don't report pidfd_info fields that won't fit in the user buffer Jan Kara

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2ab8fd2646f dfblob:4c24d2eb7e4 )
 OR (
bs:"[PATCH 3/3] pidfs: don't report pidfd_info fields that won't fit in the user buffer" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260420-work-pidfs-v1-3-4bd614e1cb33@kernel.org \
    --to=brauner@kernel.org \
    --cc=jack@suse.cz \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox