wait_for_helper: SIGCHLD from user-space can lead to use-after-free

1. wait_for_helper() calls allow_signal(SIGCHLD) to ensure the child can't autoreap itself. However, this means that a spurious SIGCHILD from user-space can set TIF_SIGPENDING and: - kernel_thread() or sys_wait4() can fail due to signal_pending() - worse, wait4() can fail before ____call_usermodehelper() execs or exits. In this case the caller may kfree(subprocess_info) while the child still uses this memory. Change the code to use SIG_DFL instead of magic "(void __user *)2" set by allow_signal(). This means that SIGCHLD won't be delivered, yet the child won't autoreap itsefl. The problem is minor, only root can send a signal to this kthread. 2. If sys_wait4(&ret) fails it doesn't populate "ret", in this case wait_for_helper() reports a random value from uninitialized var. With this patch sys_wait4() should never fail, but still it makes sense to initialize ret = -ECHILD so that the caller can notice the problem. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

wait_for_helper: SIGCHLD from user-space can lead to use-after-free
1. wait_for_helper() calls allow_signal(SIGCHLD) to ensure the child can't autoreap itself. However, this means that a spurious SIGCHILD from user-space can set TIF_SIGPENDING and: - kernel_thread() or sys_wait4() can fail due to signal_pending() - worse, wait4() can fail before ____call_usermodehelper() execs or exits. In this case the caller may kfree(subprocess_info) while the child still uses this memory. Change the code to use SIG_DFL instead of magic "(void __user *)2" set by allow_signal(). This means that SIGCHLD won't be delivered, yet the child won't autoreap itsefl. The problem is minor, only root can send a signal to this kthread. 2. If sys_wait4(&ret) fails it doesn't populate "ret", in this case wait_for_helper() reports a random value from uninitialized var. With this patch sys_wait4() should never fail, but still it makes sense to initialize ret = -ECHILD so that the caller can notice the problem. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Oleg Nesterov · Linus Torvalds
1 parent 363da4022c
Showing 1 changed file with 5 additions and 5 deletions Side-by-side Diff
kernel/kmod.c
@@ -175,16 +175,16 @@
 	struct subprocess_info *sub_info = data;
 	pid_t pid;
  
-	/* Install a handler: if SIGCLD isn't handled sys_wait4 won't
-	 * populate the status, but will return -ECHILD. */
-	allow_signal(SIGCHLD);
+	/* If SIGCLD is ignored sys_wait4 won't populate the status. */
+	spin_lock_irq(&current->sighand->siglock);
+	current->sighand->action[SIGCHLD-1].sa.sa_handler = SIG_DFL;
+	spin_unlock_irq(&current->sighand->siglock);
  
 	pid = kernel_thread(____call_usermodehelper, sub_info, SIGCHLD);
 	if (pid < 0) {
 		sub_info->retval = pid;
 	} else {
-		int ret;
-
+		int ret = -ECHILD;
 		/*
 		 * Normally it is bogus to call wait4() from in-kernel because
 		 * wait4() wants to write the exit code to a userspace address.
...	...	@@ -175,16 +175,16 @@
175	175	struct subprocess_info *sub_info = data;
176	176	pid_t pid;
177	177
178		- /* Install a handler: if SIGCLD isn't handled sys_wait4 won't
179		- * populate the status, but will return -ECHILD. */
180		- allow_signal(SIGCHLD);
	178	+ /* If SIGCLD is ignored sys_wait4 won't populate the status. */
	179	+ spin_lock_irq(&current->sighand->siglock);
	180	+ current->sighand->action[SIGCHLD-1].sa.sa_handler = SIG_DFL;
	181	+ spin_unlock_irq(&current->sighand->siglock);
181	182
182	183	pid = kernel_thread(____call_usermodehelper, sub_info, SIGCHLD);
183	184	if (pid < 0) {
184	185	sub_info->retval = pid;
185	186	} else {
186		- int ret;
187		-
	187	+ int ret = -ECHILD;
188	188	/*
189	189	* Normally it is bogus to call wait4() from in-kernel because
190	190	* wait4() wants to write the exit code to a userspace address.