diff options
author | Roland McGrath <roland@redhat.com> | 2007-11-13 22:11:50 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2007-11-16 10:10:56 -0800 |
commit | 36ef66c5d137b9a31fd8c35d236fb9e26ef74f97 (patch) | |
tree | 4a21980405c5a5fd34001ebdbfa5f7ac8a2229b7 | |
parent | b0f08ee5e5b8dfc3a875a41c24db878373274799 (diff) | |
download | linux-stable-36ef66c5d137b9a31fd8c35d236fb9e26ef74f97.tar.gz linux-stable-36ef66c5d137b9a31fd8c35d236fb9e26ef74f97.tar.bz2 linux-stable-36ef66c5d137b9a31fd8c35d236fb9e26ef74f97.zip |
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
patch a3474224e6a01924be40a8255636ea5522c1023a in mainline
The original meaning of the old test (p->state > TASK_STOPPED) was
"not dead", since it was before TASK_TRACED existed and before the
state/exit_state split. It was a wrong correction in commit
14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
TASK_TRACED instead. It should have been changed when TASK_TRACED
was introducted and again when exit_state was introduced.
Signed-off-by: Roland McGrath <roland@redhat.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Alexey Dobriyan <adobriyan@sw.ru>
Cc: Kees Cook <kees@ubuntu.com>
Acked-by: Scott James Remnant <scott@ubuntu.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | kernel/exit.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/kernel/exit.c b/kernel/exit.c index 993369ee94d1..096c27da7bde 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -1362,8 +1362,7 @@ static int wait_task_stopped(struct task_struct *p, int delayed_group_leader, int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED; exit_code = p->exit_code; - if (unlikely(!exit_code) || - unlikely(p->state & TASK_TRACED)) + if (unlikely(!exit_code) || unlikely(p->exit_state)) goto bail_ref; return wait_noreap_copyout(p, pid, uid, why, (exit_code << 8) | 0x7f, |