[PATCH v3] kernel/fork: validate exit_signal in kernel_clone()

[Deepanshu Kartikey <kartikey406@gmail.com>]

When a child process exits, it sends exit_signal to its parent via
do_notify_parent(). The clone() syscall constructs exit_signal as:

(lower_32_bits(clone_flags) & CSIGNAL)

CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
non-zero non-valid exit_signal acts the same as exit_signal == 0:
the parent process is not signaled when the child terminates.

The syzkaller reproducer triggers this by calling clone() with
flags=0x80, resulting in exit_signal = (0x80 & CSIGNAL) = 128, which
exceeds _NSIG and is not a valid signal.

The v1 of this patch added the check only in the clone() syscall
handler, which is incomplete. kernel_clone() has other callers such
as sys_ia32_clone() which would remain unprotected. Move the check
to kernel_clone() to cover all callers.

Since the valid_signal() check is now in kernel_clone() and covers
all callers including clone3(), the same check in
copy_clone_args_from_user() becomes redundant and is removed. The
higher 32bits check for clone3() is kept as it is clone3() specific.

Note that this is a user-visible change: previously, passing an invalid
exit_signal to clone() was silently accepted. The man page for clone()
does not document any defined behavior for invalid exit_signal values,
so rejecting them with -EINVAL is the correct behavior. It is unlikely
that any sane application relies on passing an invalid exit_signal.

Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
v3:
  - Remove now redundant valid_signal() check from
    copy_clone_args_from_user() since kernel_clone() now covers
    all callers including clone3()
  - Update changelog to remove WARN_ON mention and describe
    actual bug behavior instead

v2:
  - Move valid_signal() check from clone() syscall handler to
    kernel_clone() to cover all callers including sys_ia32_clone()
  - Update changelog to document user-visible behavior change
---
 kernel/fork.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index 947a8dbce06a..73f7fe958a30 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2687,6 +2687,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
 	    (args->pidfd == args->parent_tid))
 		return -EINVAL;
 
+	if (!valid_signal(args->exit_signal))
+		return -EINVAL;
+
 	/*
 	 * Determine whether and which event to report to ptracer.  When
 	 * called from kernel_thread or CLONE_UNTRACED is explicitly
@@ -2885,11 +2888,9 @@ static noinline int copy_clone_args_from_user(struct kernel_clone_args *kargs,
 		return -EINVAL;
 
 	/*
-	 * Verify that higher 32bits of exit_signal are unset and that
-	 * it is a valid signal
+	 * Verify that higher 32bits of exit_signal are unset
 	 */
-	if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
-		     !valid_signal(args.exit_signal)))
+	if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
 		return -EINVAL;
 
 	if ((args.flags & CLONE_INTO_CGROUP) &&
-- 
2.43.0