Commit 7d64224217b53b23243fd2aa428001486f2a5da5
Committed by
Linus Torvalds
1 parent
363da4022c
Exists in
master
and in
4 other branches
wait_for_helper: SIGCHLD from user-space can lead to use-after-free
1. wait_for_helper() calls allow_signal(SIGCHLD) to ensure the child can't autoreap itself. However, this means that a spurious SIGCHILD from user-space can set TIF_SIGPENDING and: - kernel_thread() or sys_wait4() can fail due to signal_pending() - worse, wait4() can fail before ____call_usermodehelper() execs or exits. In this case the caller may kfree(subprocess_info) while the child still uses this memory. Change the code to use SIG_DFL instead of magic "(void __user *)2" set by allow_signal(). This means that SIGCHLD won't be delivered, yet the child won't autoreap itsefl. The problem is minor, only root can send a signal to this kthread. 2. If sys_wait4(&ret) fails it doesn't populate "ret", in this case wait_for_helper() reports a random value from uninitialized var. With this patch sys_wait4() should never fail, but still it makes sense to initialize ret = -ECHILD so that the caller can notice the problem. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 5 additions and 5 deletions Side-by-side Diff
kernel/kmod.c
... | ... | @@ -175,16 +175,16 @@ |
175 | 175 | struct subprocess_info *sub_info = data; |
176 | 176 | pid_t pid; |
177 | 177 | |
178 | - /* Install a handler: if SIGCLD isn't handled sys_wait4 won't | |
179 | - * populate the status, but will return -ECHILD. */ | |
180 | - allow_signal(SIGCHLD); | |
178 | + /* If SIGCLD is ignored sys_wait4 won't populate the status. */ | |
179 | + spin_lock_irq(¤t->sighand->siglock); | |
180 | + current->sighand->action[SIGCHLD-1].sa.sa_handler = SIG_DFL; | |
181 | + spin_unlock_irq(¤t->sighand->siglock); | |
181 | 182 | |
182 | 183 | pid = kernel_thread(____call_usermodehelper, sub_info, SIGCHLD); |
183 | 184 | if (pid < 0) { |
184 | 185 | sub_info->retval = pid; |
185 | 186 | } else { |
186 | - int ret; | |
187 | - | |
187 | + int ret = -ECHILD; | |
188 | 188 | /* |
189 | 189 | * Normally it is bogus to call wait4() from in-kernel because |
190 | 190 | * wait4() wants to write the exit code to a userspace address. |