summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOleg Nesterov <oleg@tv-sign.ru>2008-04-30 00:54:28 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2008-04-30 08:29:49 -0700
commit1dd768c0815334d2319d6377f0750ace075b6142 (patch)
tree13e3d42f3679ef1a50e276abdbeafccc9cfe1ed0
parent7d8da0962eaee30b4a380ded177349bfbdd6ac46 (diff)
pids: sys_getsid: fix unsafe *pid usage, fix possible 0 instead of -ESRCH
1. sys_getsid() needs rcu_read_lock() to derive the session _nr, even if the task is current, otherwise we can race with another thread which does sys_setsid(). 2. The task can exit between find_task_by_vpid() and task_session_vnr(), in that unlikely case sys_getsid() returns 0 instead of -ESRCH. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Roland McGrath <roland@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--kernel/sys.c33
1 files changed, 20 insertions, 13 deletions
diff --git a/kernel/sys.c b/kernel/sys.c
index 5d0b44cd435c..ddd28e261f3a 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1022,23 +1022,30 @@ asmlinkage long sys_getpgrp(void)
asmlinkage long sys_getsid(pid_t pid)
{
+ struct task_struct *p;
+ struct pid *sid;
+ int retval;
+
+ rcu_read_lock();
if (!pid)
- return task_session_vnr(current);
+ sid = task_session(current);
else {
- int retval;
- struct task_struct *p;
-
- rcu_read_lock();
- p = find_task_by_vpid(pid);
retval = -ESRCH;
- if (p) {
- retval = security_task_getsid(p);
- if (!retval)
- retval = task_session_vnr(p);
- }
- rcu_read_unlock();
- return retval;
+ p = find_task_by_vpid(pid);
+ if (!p)
+ goto out;
+ sid = task_session(p);
+ if (!sid)
+ goto out;
+
+ retval = security_task_getsid(p);
+ if (retval)
+ goto out;
}
+ retval = pid_vnr(sid);
+out:
+ rcu_read_unlock();
+ return retval;
}
asmlinkage long sys_setsid(void)