Commit 6aeb438
committed
fork: normalize copy_process() error return before ERR_PTR().
copy_process() returns ERR_PTR(retval) from its error path, so retval
must be a negative errno. If retval is zero or positive, ERR_PTR(retval)
produces a non-error pointer that is not caught by IS_ERR() in
kernel_clone().
A BPF_MODIFY_RETURN program attached to security_task_alloc() can return
a positive value. copy_process() treats the non-zero return as a failure
and then returns ERR_PTR(1). kernel_clone() does not treat that as an
error and later dereferences the pointer, causing a kernel crash.
Normalize unexpected non-negative values before returning ERR_PTR() from
copy_process(). This keeps the fix local to the fork error path and does
not change BPF_MODIFY_RETURN verifier behavior.
The issue has been reported and discussed upstream, but the verifier-side
fix attempt has not been accepted. Carry this targeted fix in deepin-kernel
to prevent the reported denial-of-service.
Link: https://lore.kernel.org/bpf/973a1b7b-8ee7-407a-890a-11455d9cc5bf@std.uestc.edu.cn/
Link: https://lore.kernel.org/all/20260411163556.8567-1-yangfeng59949@163.com/
Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Signed-off-by: hushijia <hushijia1@uniontech.com>1 parent 6783265 commit 6aeb438
1 file changed
Lines changed: 7 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2512 | 2512 | | |
2513 | 2513 | | |
2514 | 2514 | | |
| 2515 | + | |
| 2516 | + | |
| 2517 | + | |
| 2518 | + | |
| 2519 | + | |
| 2520 | + | |
| 2521 | + | |
2515 | 2522 | | |
2516 | 2523 | | |
2517 | 2524 | | |
| |||
0 commit comments