ACK/Cmnt: [PATCH] kernel/signal.c: avoid undefined behaviour in kill_something_info
Stefan Bader
stefan.bader at canonical.com
Mon Jul 23 12:52:12 UTC 2018
On 20.07.2018 19:01, Colin King wrote:
> From: zhongjiang <zhongjiang at huawei.com>
>
> CVE-2018-10124
>
> When running kill(72057458746458112, 0) in userspace I hit the following
> issue.
>
> UBSAN: Undefined behaviour in kernel/signal.c:1462:11
> negation of -2147483648 cannot be represented in type 'int':
> CPU: 226 PID: 9849 Comm: test Tainted: G B ---- ------- 3.10.0-327.53.58.70.x86_64_ubsan+ #116
> Hardware name: Huawei Technologies Co., Ltd. RH8100 V3/BC61PBIA, BIOS BLHSV028 11/11/2014
> Call Trace:
> dump_stack+0x19/0x1b
> ubsan_epilogue+0xd/0x50
> __ubsan_handle_negate_overflow+0x109/0x14e
> SYSC_kill+0x43e/0x4d0
> SyS_kill+0xe/0x10
> system_call_fastpath+0x16/0x1b
>
> Add code to avoid the UBSAN detection.
>
> [akpm at linux-foundation.org: tweak comment]
> Link: http://lkml.kernel.org/r/1496670008-59084-1-git-send-email-zhongjiang@huawei.com
> Signed-off-by: zhongjiang <zhongjiang at huawei.com>
> Cc: Oleg Nesterov <oleg at redhat.com>
> Cc: Michal Hocko <mhocko at kernel.org>
> Cc: Vlastimil Babka <vbabka at suse.cz>
> Cc: Xishi Qiu <qiuxishi at huawei.com>
> Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit 4ea77014af0d6205b05503d1c7aac6eace11d473)
> Signed-off-by: Colin Ian King <colin.king at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
Apart from the accidental number inserted, one should only use standard "cherry
picked from" or "backported from" lines as those are parsed by the CVE
autotriaging bot.
-Stefan
> kernel/signal.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 48a59ee..caed913 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -1402,6 +1402,10 @@ static int kill_something_info(int sig, struct siginfo *info, pid_t pid)
> return ret;
> }
>
> + /* -INT_MIN is undefined. Exclude this case to avoid a UBSAN warning */
> + if (pid == INT_MIN)
> + return -ESRCH;
> +
> read_lock(&tasklist_lock);
> if (pid != -1) {
> ret = __kill_pgrp_info(sig, info,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180723/73fbfe33/attachment.sig>
More information about the kernel-team
mailing list