Commit 5ef016ad authored by Roland McGrath's avatar Roland McGrath Committed by Greg Kroah-Hartman

wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

patch a3474224 in mainline

The original meaning of the old test (p->state > TASK_STOPPED) was
"not dead", since it was before TASK_TRACED existed and before the
state/exit_state split.  It was a wrong correction in commit
14bf01bb to make this test for
TASK_TRACED instead.  It should have been changed when TASK_TRACED
was introducted and again when exit_state was introduced.
Signed-off-by: default avatarRoland McGrath <roland@redhat.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Alexey Dobriyan <adobriyan@sw.ru>
Cc: Kees Cook <kees@ubuntu.com>
Acked-by: default avatarScott James Remnant <scott@ubuntu.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent e405fd3d
...@@ -1336,8 +1336,7 @@ static int wait_task_stopped(struct task_struct *p, int delayed_group_leader, ...@@ -1336,8 +1336,7 @@ static int wait_task_stopped(struct task_struct *p, int delayed_group_leader,
int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED; int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED;
exit_code = p->exit_code; exit_code = p->exit_code;
if (unlikely(!exit_code) || if (unlikely(!exit_code) || unlikely(p->exit_state))
unlikely(p->state & TASK_TRACED))
goto bail_ref; goto bail_ref;
return wait_noreap_copyout(p, pid, uid, return wait_noreap_copyout(p, pid, uid,
why, (exit_code << 8) | 0x7f, why, (exit_code << 8) | 0x7f,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment