hulk inclusion category: kabi bugzilla: NA CVE: CVE-2020-10741, CVE-2020-12826 --------------------------- Commit d1e7fd6462ca ("signal: Extend exec_id to 64bits") can fixes CVE-2020-10741 and CVE-2020-12826, but it introduces a kabi change in struct task_strcut. Fix this kabi broken by using another new 64bits variables parent_exec_id_u64 and self_exec_id_u64. Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- fs/exec.c | 1 + include/linux/sched.h | 9 +++++++-- kernel/fork.c | 2 ++ kernel/signal.c | 2 +- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 15d9974..19c0700 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1380,6 +1380,7 @@ void setup_new_exec(struct linux_binprm * bprm) /* An exec changes our domain. We are no longer part of the thread group */ WRITE_ONCE(current->self_exec_id, current->self_exec_id + 1); + WRITE_ONCE(current->self_exec_id_u64, current->self_exec_id_u64 + 1); flush_signal_handlers(current, 0); } EXPORT_SYMBOL(setup_new_exec); diff --git a/include/linux/sched.h b/include/linux/sched.h index 1d15ab4..302fa00 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -892,8 +892,8 @@ struct task_struct { struct seccomp seccomp; /* Thread group tracking: */ - u64 parent_exec_id; - u64 self_exec_id; + u32 parent_exec_id; + u32 self_exec_id; /* Protection against (de-)allocation: mm, files, fs, tty, keyrings, mems_allowed, mempolicy: */ spinlock_t alloc_lock; @@ -1212,8 +1212,13 @@ struct task_struct { */ randomized_struct_fields_end +#ifndef __GENKSYMS__ + u64 parent_exec_id_u64; + u64 self_exec_id_u64; +#else KABI_RESERVE(1) KABI_RESERVE(2) +#endif KABI_RESERVE(3) KABI_RESERVE(4) KABI_RESERVE(5) diff --git a/kernel/fork.c b/kernel/fork.c index 2839961..951aa6f 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2055,9 +2055,11 @@ static __latent_entropy struct task_struct *copy_process( if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) { p->real_parent = current->real_parent; p->parent_exec_id = current->parent_exec_id; + p->parent_exec_id_u64 = current->parent_exec_id_u64; } else { p->real_parent = current; p->parent_exec_id = current->self_exec_id; + p->parent_exec_id_u64 = current->self_exec_id_u64; } klp_copy_process(p); diff --git a/kernel/signal.c b/kernel/signal.c index 60ea2ee..a58af7d 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -1827,7 +1827,7 @@ bool do_notify_parent(struct task_struct *tsk, int sig) * This is only possible if parent == real_parent. * Check if it has changed security domain. */ - if (tsk->parent_exec_id != READ_ONCE(tsk->parent->self_exec_id)) + if (tsk->parent_exec_id_u64 != READ_ONCE(tsk->parent->self_exec_id_u64)) sig = SIGCHLD; } -- 1.8.3