9 Jul
2020
9 Jul
'20
9:17 p.m.
On Thu, Jul 09, 2020 at 10:00:42PM +0200, Jann Horn wrote:
On Thu, Jul 9, 2020 at 8:26 PM Kees Cook keescook@chromium.org wrote:
The sock counting (sock_update_netprioidx() and sock_update_classid()) was missing from pidfd's implementation of received fd installation. Add a call to the new __receive_sock() helper.
[...]
diff --git a/kernel/pid.c b/kernel/pid.c
[...]
@@ -642,10 +643,12 @@ static int pidfd_getfd(struct pid *pid, int fd) }
ret = get_unused_fd_flags(O_CLOEXEC);
if (ret < 0)
if (ret < 0) { fput(file);
else
} else { fd_install(ret, file);__receive_sock(file);}__receive_sock() has to be before fd_install(), otherwise `file` can be a dangling pointer.
Burned by fd_install()'s API again. Thanks. I will respin.
--
Kees Cook