diff options
| author | Oleg Nesterov <oleg@redhat.com> | 2017-01-09 20:26:14 -0800 |
|---|---|---|
| committer | Prasad Sodagudi <psodagud@codeaurora.org> | 2017-01-23 18:31:21 -0800 |
| commit | 5cbee2fa5de964083d6d9a2d4898615227393a9d (patch) | |
| tree | 6cc9be3288bc0de132834fd818ad0e1d1fb1bb91 /kernel | |
| parent | 4f1f60e00d6a434232e6fdc048d072296c24fb45 (diff) | |
Use after free from pid_nr_ns()
There is use after free reported due to group
leader task is already freed but other tasks are
still holding the group leader task address in
task->group_leader pointer.
pid_nr_ns+0x10/0x38
cgroup_pidlist_start+0x144/0x400
cgroup_seqfile_start+0x1c/0x24
kernfs_seq_start+0x54/0x90
seq_read+0x15c/0x3a8
kernfs_fop_read+0x38/0x160
__vfs_read+0x28/0xc8
vfs_read+0x84/0xfc
Change-Id: Ib6b3fc75bf0d24a04455bf81d54900c21c434958
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/pid.c | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/kernel/pid.c b/kernel/pid.c index 78b3d9f80d44..b17263be9082 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -526,8 +526,11 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, if (!ns) ns = task_active_pid_ns(current); if (likely(pid_alive(task))) { - if (type != PIDTYPE_PID) + if (type != PIDTYPE_PID) { + if (type == __PIDTYPE_TGID) + type = PIDTYPE_PID; task = task->group_leader; + } nr = pid_nr_ns(rcu_dereference(task->pids[type].pid), ns); } rcu_read_unlock(); @@ -536,12 +539,6 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, } EXPORT_SYMBOL(__task_pid_nr_ns); -pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns) -{ - return pid_nr_ns(task_tgid(tsk), ns); -} -EXPORT_SYMBOL(task_tgid_nr_ns); - struct pid_namespace *task_active_pid_ns(struct task_struct *tsk) { return ns_of_pid(task_pid(tsk)); |