Forwarded: [PATCH] kernel/fork: validate exit_signal in clone() syscall

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: [PATCH] kernel/fork: validate exit_signal in clone() syscall
Author: kartikey406@xxxxxxxxx

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master


The clone() syscall constructs exit_signal as:

  (lower_32_bits(clone_flags) & CSIGNAL)

CSIGNAL is 0xff, so values in the range 65-255 are possible.
However, valid_signal() only accepts signals up to _NSIG (64 on
x86_64). This allows a userspace process to store an invalid
exit_signal in task_struct->exit_signal, which later triggers a
WARN_ON(!valid_signal(sig)) in do_notify_parent() when the process
exits:

  WARNING: kernel/signal.c:2174 do_notify_parent+0xc7e/0xd70

The comment above kernel_clone() states that callers are expected
to validate exit_signal before calling kernel_clone(). clone3()
correctly does this:

  if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
               !valid_signal(args.exit_signal)))
          return -EINVAL;

The clone() syscall has no such check. Add the missing
valid_signal() check to the clone() syscall handler, consistent
with the existing validation in clone3().

Reported-by: syzbot+bbe6b99feefc3a0842de@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
Signed-off-by: Deepanshu Kartikey <Kartikey406@xxxxxxxxx>
---
 kernel/fork.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index 947a8dbce06a..dbe26ac6ca10 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2845,7 +2845,8 @@ SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp,
 		.stack		= newsp,
 		.tls		= tls,
 	};
-
+	if (!valid_signal(args.exit_signal))
+		return -EINVAL;
 	return kernel_clone(&args);
 }
 #endif
-- 
2.43.0