Commit 4dd9f6ac authored by Yang Yingliang's avatar Yang Yingliang
Browse files

signal: fix kabi changes in struct task_struct 



hulk inclusion
category: kabi
bugzilla: NA
CVE: CVE-2020-10741, CVE-2020-12826

---------------------------

Commit d1e7fd64 ("signal: Extend exec_id to 64bits") can fixes
CVE-2020-10741 and CVE-2020-12826, but it introduces a kabi change
in struct task_strcut. Fix this kabi broken by using another new
64bits variables parent_exec_id_u64 and self_exec_id_u64.

Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: default avatarXie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parent 1f4a4074

fs/exec.c

+1 −0
Original line number Diff line number Diff line
@@ -1380,6 +1380,7 @@ void setup_new_exec(struct linux_binprm * bprm) 
	/* An exec changes our domain. We are no longer part of the thread

	   group */

	WRITE_ONCE(current->self_exec_id, current->self_exec_id + 1);

	WRITE_ONCE(current->self_exec_id_u64, current->self_exec_id_u64 + 1);

	flush_signal_handlers(current, 0);

}

EXPORT_SYMBOL(setup_new_exec);

include/linux/sched.h

+7 −2
Original line number Diff line number Diff line
@@ -892,8 +892,8 @@ struct task_struct { 
	struct seccomp			seccomp;



	/* Thread group tracking: */

	u64				parent_exec_id;

	u64				self_exec_id;

	u32				parent_exec_id;

	u32				self_exec_id;



	/* Protection against (de-)allocation: mm, files, fs, tty, keyrings, mems_allowed, mempolicy: */

	spinlock_t			alloc_lock;
@@ -1212,8 +1212,13 @@ struct task_struct { 
	 */

	randomized_struct_fields_end



#ifndef __GENKSYMS__

	u64				parent_exec_id_u64;

	u64				self_exec_id_u64;

#else

	KABI_RESERVE(1)

	KABI_RESERVE(2)

#endif

	KABI_RESERVE(3)

	KABI_RESERVE(4)

	KABI_RESERVE(5)

kernel/fork.c

+2 −0
Original line number Diff line number Diff line
@@ -2055,9 +2055,11 @@ static __latent_entropy struct task_struct *copy_process( 
	if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) {

		p->real_parent = current->real_parent;

		p->parent_exec_id = current->parent_exec_id;

		p->parent_exec_id_u64 = current->parent_exec_id_u64;

	} else {

		p->real_parent = current;

		p->parent_exec_id = current->self_exec_id;

		p->parent_exec_id_u64 = current->self_exec_id_u64;

	}



	klp_copy_process(p);

kernel/signal.c

+1 −1
Original line number Diff line number Diff line
@@ -1827,7 +1827,7 @@ bool do_notify_parent(struct task_struct *tsk, int sig) 
		 * This is only possible if parent == real_parent.

		 * Check if it has changed security domain.

		 */

		if (tsk->parent_exec_id != READ_ONCE(tsk->parent->self_exec_id))

		if (tsk->parent_exec_id_u64 != READ_ONCE(tsk->parent->self_exec_id_u64))

			sig = SIGCHLD;

	}