git.baikalelectronics.ru Git - kernel.git/commit

author	Jann Horn <jannh@google.com>
	Mon, 5 Oct 2020 01:44:01 +0000 (03:44 +0200)
committer	Kees Cook <keescook@chromium.org>
	Thu, 8 Oct 2020 20:17:47 +0000 (13:17 -0700)
commit	21900657b82341472bd9b4c9a1a31bff2d43ef29
tree	7695a6683c814dbfd5174b10d55f51e071825bad	tree \| snapshot
parent	531984e76f4128b49441d816490c10e7a9ab2191	commit \| diff

seccomp: Make duplicate listener detection non-racy

Currently, init_listener() tries to prevent adding a filter with
SECCOMP_FILTER_FLAG_NEW_LISTENER if one of the existing filters already
has a listener. However, this check happens without holding any lock that
would prevent another thread from concurrently installing a new filter
(potentially with a listener) on top of the ones we already have.

Theoretically, this is also a data race: The plain load from
current->seccomp.filter can race with concurrent writes to the same
location.

Fix it by moving the check into the region that holds the siglock to guard
against concurrent TSYNC.

(The "Fixes" tag points to the commit that introduced the theoretical
data race; concurrent installation of another filter with TSYNC only
became possible later, in commit 7f9dda3b2c2f ("seccomp: allow TSYNC and
USER_NOTIF together").)

Fixes: 6a02b13b4538 ("seccomp: add a return code to trap to userspace")
Reviewed-by: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20201005014401.490175-1-jannh@google.com