forked from Minki/linux
for-linus-2020-04-18
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCXprWIAAKCRCRxhvAZXjc
omUyAQCQcvJQhilLv0b7FtBAbN7+TkzV8vAQTzEITuHPa6m/HwEA2Gp9ZDTJfQbV
T6utOrTm/LT0mfBkiDLSnLPtVzh7mgE=
=Jz3d
-----END PGP SIGNATURE-----
Merge tag 'for-linus-2020-04-18' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull thread fixes from Christian Brauner:
"A few fixes and minor improvements:
- Correctly validate the cgroup file descriptor when clone3() is used
with CLONE_INTO_CGROUP.
- Check that a new enough version of struct clone_args is passed
which supports the cgroup file descriptor argument when
CLONE_INTO_CGROUP is set in the flags argument.
- Catch nonsensical struct clone_args layouts at build time.
- Catch extensions of struct clone_args without updating the uapi
visible size definitions at build time.
- Check whether the signal is valid early in kill_pid_usb_asyncio()
before doing further work.
- Replace open-coded rcu_read_lock()+kill_pid_info()+rcu_read_unlock()
sequence in kill_something_info() with kill_proc_info() which is a
dedicated helper to do just that"
* tag 'for-linus-2020-04-18' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
clone3: add build-time CLONE_ARGS_SIZE_VER* validity checks
clone3: add a check for the user struct size if CLONE_INTO_CGROUP is set
clone3: fix cgroup argument sanity check
signal: use kill_proc_info instead of kill_pid_info in kill_something_info
signal: check sig before setting info in kill_pid_usb_asyncio
This commit is contained in:
Linus Torvalds
commit
774acb2a09
@ -2605,6 +2605,14 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
|
||||
struct clone_args args;
|
||||
pid_t *kset_tid = kargs->set_tid;
|
||||
|
||||
BUILD_BUG_ON(offsetofend(struct clone_args, tls) !=
|
||||
CLONE_ARGS_SIZE_VER0);
|
||||
BUILD_BUG_ON(offsetofend(struct clone_args, set_tid_size) !=
|
||||
CLONE_ARGS_SIZE_VER1);
|
||||
BUILD_BUG_ON(offsetofend(struct clone_args, cgroup) !=
|
||||
CLONE_ARGS_SIZE_VER2);
|
||||
BUILD_BUG_ON(sizeof(struct clone_args) != CLONE_ARGS_SIZE_VER2);
|
||||
|
||||
if (unlikely(usize > PAGE_SIZE))
|
||||
return -E2BIG;
|
||||
if (unlikely(usize < CLONE_ARGS_SIZE_VER0))
|
||||
@ -2631,7 +2639,8 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
|
||||
!valid_signal(args.exit_signal)))
|
||||
return -EINVAL;
|
||||
|
||||
if ((args.flags & CLONE_INTO_CGROUP) && args.cgroup < 0)
|
||||
if ((args.flags & CLONE_INTO_CGROUP) &&
|
||||
(args.cgroup > INT_MAX || usize < CLONE_ARGS_SIZE_VER2))
|
||||
return -EINVAL;
|
||||
|
||||
*kargs = (struct kernel_clone_args){
|
||||
|
||||
@ -1510,15 +1510,15 @@ int kill_pid_usb_asyncio(int sig, int errno, sigval_t addr,
|
||||
unsigned long flags;
|
||||
int ret = -EINVAL;
|
||||
|
||||
if (!valid_signal(sig))
|
||||
return ret;
|
||||
|
||||
clear_siginfo(&info);
|
||||
info.si_signo = sig;
|
||||
info.si_errno = errno;
|
||||
info.si_code = SI_ASYNCIO;
|
||||
*((sigval_t *)&info.si_pid) = addr;
|
||||
|
||||
if (!valid_signal(sig))
|
||||
return ret;
|
||||
|
||||
rcu_read_lock();
|
||||
p = pid_task(pid, PIDTYPE_PID);
|
||||
if (!p) {
|
||||
@ -1557,12 +1557,8 @@ static int kill_something_info(int sig, struct kernel_siginfo *info, pid_t pid)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if (pid > 0) {
|
||||
rcu_read_lock();
|
||||
ret = kill_pid_info(sig, info, find_vpid(pid));
|
||||
rcu_read_unlock();
|
||||
return ret;
|
||||
}
|
||||
if (pid > 0)
|
||||
return kill_proc_info(sig, info, pid);
|
||||
|
||||
/* -INT_MIN is undefined. Exclude this case to avoid a UBSAN warning */
|
||||
if (pid == INT_MIN)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user