Message ID | 1442340797-32715-2-git-send-email-brad.figg@canonical.com |
---|---|
State | New |
Headers | show |
On Tue, Sep 15, 2015 at 11:13:17AM -0700, Brad Figg wrote: > From: Kees Cook <keescook@chromium.org> > > BugLink: http://bugs.launchpad.net/bugs/1496073 > > The value resulting from the SECCOMP_RET_DATA mask could exceed MAX_ERRNO > when setting errno during a SECCOMP_RET_ERRNO filter action. This makes > sure we have a reliable value being set, so that an invalid errno will not > be ignored by userspace. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Reported-by: Dmitry V. Levin <ldv@altlinux.org> > Cc: Andy Lutomirski <luto@amacapital.net> > Cc: Will Drewry <wad@chromium.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry picked from commit 580c57f1076872ebc2427f898b927944ce170f2d) > Signed-off-by: Brad Figg <brad.figg@canonical.com> > > 100.0% kernel/ > --- > kernel/seccomp.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 4ef9687..4f44028 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -629,7 +629,9 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) > > switch (action) { > case SECCOMP_RET_ERRNO: > - /* Set the low-order 16-bits as a errno. */ > + /* Set low-order bits as an errno, capped at MAX_ERRNO. */ > + if (data > MAX_ERRNO) > + data = MAX_ERRNO; > syscall_set_return_value(current, task_pt_regs(current), > -data, 0); > goto skip; > -- > 1.9.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 4ef9687..4f44028 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -629,7 +629,9 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd) switch (action) { case SECCOMP_RET_ERRNO: - /* Set the low-order 16-bits as a errno. */ + /* Set low-order bits as an errno, capped at MAX_ERRNO. */ + if (data > MAX_ERRNO) + data = MAX_ERRNO; syscall_set_return_value(current, task_pt_regs(current), -data, 0); goto skip;