| From a3474224e6a01924be40a8255636ea5522c1023a Mon Sep 17 00:00:00 2001 |
| From: Roland McGrath <roland@redhat.com> |
| Date: Tue, 13 Nov 2007 22:11:50 -0800 |
| Subject: wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500) |
| |
| From: Roland McGrath <roland@redhat.com> |
| |
| patch a3474224e6a01924be40a8255636ea5522c1023a in mainline |
| |
| The original meaning of the old test (p->state > TASK_STOPPED) was |
| "not dead", since it was before TASK_TRACED existed and before the |
| state/exit_state split. It was a wrong correction in commit |
| 14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for |
| TASK_TRACED instead. It should have been changed when TASK_TRACED |
| was introducted and again when exit_state was introduced. |
| |
| Signed-off-by: Roland McGrath <roland@redhat.com> |
| Cc: Oleg Nesterov <oleg@tv-sign.ru> |
| Cc: Alexey Dobriyan <adobriyan@sw.ru> |
| Cc: Kees Cook <kees@ubuntu.com> |
| Acked-by: Scott James Remnant <scott@ubuntu.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| kernel/exit.c | 3 +-- |
| 1 file changed, 1 insertion(+), 2 deletions(-) |
| |
| --- a/kernel/exit.c |
| +++ b/kernel/exit.c |
| @@ -1362,8 +1362,7 @@ static int wait_task_stopped(struct task |
| int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED; |
| |
| exit_code = p->exit_code; |
| - if (unlikely(!exit_code) || |
| - unlikely(p->state & TASK_TRACED)) |
| + if (unlikely(!exit_code) || unlikely(p->exit_state)) |
| goto bail_ref; |
| return wait_noreap_copyout(p, pid, uid, |
| why, (exit_code << 8) | 0x7f, |
