| Message ID | 20180720170113.19862-2-colin.king@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | kernel/signal.c: avoid undefined behaviour in kill_something_info | expand |
On 20.07.2018 19:01, Colin King wrote: > From: zhongjiang <zhongjiang@huawei.com> > > CVE-2018-10124 > > When running kill(72057458746458112, 0) in userspace I hit the following > issue. > > UBSAN: Undefined behaviour in kernel/signal.c:1462:11 > negation of -2147483648 cannot be represented in type 'int': > CPU: 226 PID: 9849 Comm: test Tainted: G B ---- ------- 3.10.0-327.53.58.70.x86_64_ubsan+ #116 > Hardware name: Huawei Technologies Co., Ltd. RH8100 V3/BC61PBIA, BIOS BLHSV028 11/11/2014 > Call Trace: > dump_stack+0x19/0x1b > ubsan_epilogue+0xd/0x50 > __ubsan_handle_negate_overflow+0x109/0x14e > SYSC_kill+0x43e/0x4d0 > SyS_kill+0xe/0x10 > system_call_fastpath+0x16/0x1b > > Add code to avoid the UBSAN detection. > > [akpm@linux-foundation.org: tweak comment] > Link: http://lkml.kernel.org/r/1496670008-59084-1-git-send-email-zhongjiang@huawei.com > Signed-off-by: zhongjiang <zhongjiang@huawei.com> > Cc: Oleg Nesterov <oleg@redhat.com> > Cc: Michal Hocko <mhocko@kernel.org> > Cc: Vlastimil Babka <vbabka@suse.cz> > Cc: Xishi Qiu <qiuxishi@huawei.com> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 4ea77014af0d6205b05503d1c7aac6eace11d473) > Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- Apart from the accidental number inserted, one should only use standard "cherry picked from" or "backported from" lines as those are parsed by the CVE autotriaging bot. -Stefan > kernel/signal.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/kernel/signal.c b/kernel/signal.c > index 48a59ee..caed913 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -1402,6 +1402,10 @@ static int kill_something_info(int sig, struct siginfo *info, pid_t pid) > return ret; > } > > + /* -INT_MIN is undefined. Exclude this case to avoid a UBSAN warning */ > + if (pid == INT_MIN) > + return -ESRCH; > + > read_lock(&tasklist_lock); > if (pid != -1) { > ret = __kill_pgrp_info(sig, info, >
Applied to trusty master-next. ...Juerg On 07/20/2018 07:01 PM, Colin King wrote: > From: zhongjiang <zhongjiang@huawei.com> > > CVE-2018-10124 > > When running kill(72057458746458112, 0) in userspace I hit the following > issue. > > UBSAN: Undefined behaviour in kernel/signal.c:1462:11 > negation of -2147483648 cannot be represented in type 'int': > CPU: 226 PID: 9849 Comm: test Tainted: G B ---- ------- 3.10.0-327.53.58.70.x86_64_ubsan+ #116 > Hardware name: Huawei Technologies Co., Ltd. RH8100 V3/BC61PBIA, BIOS BLHSV028 11/11/2014 > Call Trace: > dump_stack+0x19/0x1b > ubsan_epilogue+0xd/0x50 > __ubsan_handle_negate_overflow+0x109/0x14e > SYSC_kill+0x43e/0x4d0 > SyS_kill+0xe/0x10 > system_call_fastpath+0x16/0x1b > > Add code to avoid the UBSAN detection. > > [akpm@linux-foundation.org: tweak comment] > Link: http://lkml.kernel.org/r/1496670008-59084-1-git-send-email-zhongjiang@huawei.com > Signed-off-by: zhongjiang <zhongjiang@huawei.com> > Cc: Oleg Nesterov <oleg@redhat.com> > Cc: Michal Hocko <mhocko@kernel.org> > Cc: Vlastimil Babka <vbabka@suse.cz> > Cc: Xishi Qiu <qiuxishi@huawei.com> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (clean upstream cherry pick of commit 4ea77014af0d6205b05503d1c7aac6eacCVE-2018-10124e11d473) > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > kernel/signal.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/kernel/signal.c b/kernel/signal.c > index 48a59ee..caed913 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -1402,6 +1402,10 @@ static int kill_something_info(int sig, struct siginfo *info, pid_t pid) > return ret; > } > > + /* -INT_MIN is undefined. Exclude this case to avoid a UBSAN warning */ > + if (pid == INT_MIN) > + return -ESRCH; > + > read_lock(&tasklist_lock); > if (pid != -1) { > ret = __kill_pgrp_info(sig, info, >
diff --git a/kernel/signal.c b/kernel/signal.c index 48a59ee..caed913 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -1402,6 +1402,10 @@ static int kill_something_info(int sig, struct siginfo *info, pid_t pid) return ret; } + /* -INT_MIN is undefined. Exclude this case to avoid a UBSAN warning */ + if (pid == INT_MIN) + return -ESRCH; + read_lock(&tasklist_lock); if (pid != -1) { ret = __kill_pgrp_info(sig, info,