Skip to content

Commit 6aeb438

Browse files
fork: normalize copy_process() error return before ERR_PTR().
copy_process() returns ERR_PTR(retval) from its error path, so retval must be a negative errno. If retval is zero or positive, ERR_PTR(retval) produces a non-error pointer that is not caught by IS_ERR() in kernel_clone(). A BPF_MODIFY_RETURN program attached to security_task_alloc() can return a positive value. copy_process() treats the non-zero return as a failure and then returns ERR_PTR(1). kernel_clone() does not treat that as an error and later dereferences the pointer, causing a kernel crash. Normalize unexpected non-negative values before returning ERR_PTR() from copy_process(). This keeps the fix local to the fork error path and does not change BPF_MODIFY_RETURN verifier behavior. The issue has been reported and discussed upstream, but the verifier-side fix attempt has not been accepted. Carry this targeted fix in deepin-kernel to prevent the reported denial-of-service. Link: https://lore.kernel.org/bpf/973a1b7b-8ee7-407a-890a-11455d9cc5bf@std.uestc.edu.cn/ Link: https://lore.kernel.org/all/20260411163556.8567-1-yangfeng59949@163.com/ Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn> Reported-by: Yinhao Hu <dddddd@hust.edu.cn> Reported-by: Kaiyan Mei <M202472210@hust.edu.cn> Signed-off-by: hushijia <hushijia1@uniontech.com>
1 parent 6783265 commit 6aeb438

1 file changed

Lines changed: 7 additions & 0 deletions

File tree

kernel/fork.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2512,6 +2512,13 @@ __latent_entropy struct task_struct *copy_process(
25122512
spin_lock_irq(&current->sighand->siglock);
25132513
hlist_del_init(&delayed.node);
25142514
spin_unlock_irq(&current->sighand->siglock);
2515+
/*
2516+
* The error path returns ERR_PTR(retval), which requires a negative
2517+
* errno. Normalize unexpected values to avoid returning non-error
2518+
* pointers to callers.
2519+
*/
2520+
if (unlikely(retval >= 0))
2521+
retval = -EINVAL;
25152522
return ERR_PTR(retval);
25162523
}
25172524

0 commit comments

Comments
 (0)