[PATCH] signal: fix kabi changes in struct task_struct - Kernel

20 May 2020

hulk inclusion
category: kabi
bugzilla: NA
CVE: CVE-2020-10741, CVE-2020-12826
---------------------------
Commit d1e7fd6462ca ("signal: Extend exec_id to 64bits") can fixes
CVE-2020-10741 and CVE-2020-12826, but it introduces a kabi change
in struct task_strcut. Fix this kabi broken by using another new
64bits variables parent_exec_id_u64 and self_exec_id_u64.
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
Reviewed-by: Xie XiuQi xiexiuqi@huawei.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
---
 fs/exec.c             | 1 +
 include/linux/sched.h | 9 +++++++--
 kernel/fork.c         | 2 ++
 kernel/signal.c       | 2 +-
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 15d9974..19c0700 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1380,6 +1380,7 @@ void setup_new_exec(struct linux_binprm * bprm)
    /* An exec changes our domain. We are no longer part of the thread
       group */
    WRITE_ONCE(current->self_exec_id, current->self_exec_id + 1);
+	WRITE_ONCE(current->self_exec_id_u64, current->self_exec_id_u64 + 1);
    flush_signal_handlers(current, 0);
 }
 EXPORT_SYMBOL(setup_new_exec);
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 1d15ab4..302fa00 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -892,8 +892,8 @@ struct task_struct {
    struct seccomp			seccomp;
/* Thread group tracking: */
-	u64				parent_exec_id;
-	u64				self_exec_id;
+	u32				parent_exec_id;
+	u32				self_exec_id;
/* Protection against (de-)allocation: mm, files, fs, tty, keyrings, mems_allowed, mempolicy: */
    spinlock_t			alloc_lock;
@@ -1212,8 +1212,13 @@ struct task_struct {
     */
    randomized_struct_fields_end
+#ifndef __GENKSYMS__
+	u64				parent_exec_id_u64;
+	u64				self_exec_id_u64;
+#else
    KABI_RESERVE(1)
    KABI_RESERVE(2)
+#endif
    KABI_RESERVE(3)
    KABI_RESERVE(4)
    KABI_RESERVE(5)
diff --git a/kernel/fork.c b/kernel/fork.c
index 2839961..951aa6f 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2055,9 +2055,11 @@ static __latent_entropy struct task_struct *copy_process(
    if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) {
    	p->real_parent = current->real_parent;
    	p->parent_exec_id = current->parent_exec_id;
+		p->parent_exec_id_u64 = current->parent_exec_id_u64;
    } else {
    	p->real_parent = current;
    	p->parent_exec_id = current->self_exec_id;
+		p->parent_exec_id_u64 = current->self_exec_id_u64;
    }
klp_copy_process(p);
diff --git a/kernel/signal.c b/kernel/signal.c
index 60ea2ee..a58af7d 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1827,7 +1827,7 @@ bool do_notify_parent(struct task_struct *tsk, int sig)
    	 * This is only possible if parent == real_parent.
    	 * Check if it has changed security domain.
    	 */
-		if (tsk->parent_exec_id != READ_ONCE(tsk->parent->self_exec_id))
+		if (tsk->parent_exec_id_u64 != READ_ONCE(tsk->parent->self_exec_id_u64))
    		sig = SIGCHLD;
    }
-- 
1.8.3

    