Merge tag 'for-linus-2020-04-18' of git://git.kernel.org/pub/scm/linu…

…x/kernel/git/brauner/linux Pull thread fixes from Christian Brauner: "A few fixes and minor improvements: - Correctly validate the cgroup file descriptor when clone3() is used with CLONE_INTO_CGROUP. - Check that a new enough version of struct clone_args is passed which supports the cgroup file descriptor argument when CLONE_INTO_CGROUP is set in the flags argument. - Catch nonsensical struct clone_args layouts at build time. - Catch extensions of struct clone_args without updating the uapi visible size definitions at build time. - Check whether the signal is valid early in kill_pid_usb_asyncio() before doing further work. - Replace open-coded rcu_read_lock()+kill_pid_info()+rcu_read_unlock() sequence in kill_something_info() with kill_proc_info() which is a dedicated helper to do just that" * tag 'for-linus-2020-04-18' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: clone3: add build-time CLONE_ARGS_SIZE_VER* validity checks clone3: add a check for the user struct size if CLONE_INTO_CGROUP is set clone3: fix cgroup argument sanity check signal: use kill_proc_info instead of kill_pid_info in kill_something_info signal: check sig before setting info in kill_pid_usb_asyncio
mariux64 · Apr 18, 2020 · 774acb2 · 774acb2
2 parents b484f3c + a966dcf
commit 774acb2
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/kernel/fork.c b/kernel/fork.c
@@ -2605,6 +2605,14 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
 	struct clone_args args;
 	pid_t *kset_tid = kargs->set_tid;
 
+	BUILD_BUG_ON(offsetofend(struct clone_args, tls) !=
+		     CLONE_ARGS_SIZE_VER0);
+	BUILD_BUG_ON(offsetofend(struct clone_args, set_tid_size) !=
+		     CLONE_ARGS_SIZE_VER1);
+	BUILD_BUG_ON(offsetofend(struct clone_args, cgroup) !=
+		     CLONE_ARGS_SIZE_VER2);
+	BUILD_BUG_ON(sizeof(struct clone_args) != CLONE_ARGS_SIZE_VER2);
+
 	if (unlikely(usize > PAGE_SIZE))
 		return -E2BIG;
 	if (unlikely(usize < CLONE_ARGS_SIZE_VER0))
@@ -2631,7 +2639,8 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
 		     !valid_signal(args.exit_signal)))
 		return -EINVAL;
 
-	if ((args.flags & CLONE_INTO_CGROUP) && args.cgroup < 0)
+	if ((args.flags & CLONE_INTO_CGROUP) &&
+	    (args.cgroup > INT_MAX || usize < CLONE_ARGS_SIZE_VER2))
 		return -EINVAL;
 
 	*kargs = (struct kernel_clone_args){

diff --git a/kernel/signal.c b/kernel/signal.c
@@ -1510,15 +1510,15 @@ int kill_pid_usb_asyncio(int sig, int errno, sigval_t addr,
 	unsigned long flags;
 	int ret = -EINVAL;
 
+	if (!valid_signal(sig))
+		return ret;
+
 	clear_siginfo(&info);
 	info.si_signo = sig;
 	info.si_errno = errno;
 	info.si_code = SI_ASYNCIO;
 	*((sigval_t *)&info.si_pid) = addr;
 
-	if (!valid_signal(sig))
-		return ret;
-
 	rcu_read_lock();
 	p = pid_task(pid, PIDTYPE_PID);
 	if (!p) {
@@ -1557,12 +1557,8 @@ static int kill_something_info(int sig, struct kernel_siginfo *info, pid_t pid)
 {
 	int ret;
 
-	if (pid > 0) {
-		rcu_read_lock();
-		ret = kill_pid_info(sig, info, find_vpid(pid));
-		rcu_read_unlock();
-		return ret;
-	}
+	if (pid > 0)
+		return kill_proc_info(sig, info, pid);
 
 	/* -INT_MIN is undefined.  Exclude this case to avoid a UBSAN warning */
 	if (pid == INT_MIN)