[v2] linux-user: Filter /proc/*/task/ and validate tkill targets

[PATCH v2 0/3] linux-user: Filter /proc/*/task/ and validate tkill targets

Ali Raza posted 3 patches 6 days, 3 hours ago

Diff against v1
Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260424-master-v2-0-8b50b5c063ed@gmail.com

Maintainers: Laurent Vivier <laurent@vivier.eu>, Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>, "Alex Bennée" <alex.bennee@linaro.org>

linux-user/fd-trans.c                       |   6 +
linux-user/fd-trans.h                       |  18 ++
linux-user/syscall.c                        | 353 +++++++++++++++++++++-------
tests/tcg/multiarch/Makefile.target         |   2 +
tests/tcg/multiarch/linux/linux-proc-task.c | 193 +++++++++++++++
5 files changed, 492 insertions(+), 80 deletions(-)

Expand all Fold all

[PATCH v2 0/3] linux-user: Filter /proc/*/task/ and validate tkill targets

Posted by Ali Raza 6 days, 3 hours ago

This series fixes a problem where QEMU user-mode exposes internal
host threads (RCU, TCG workers) to guest processes via /proc/*/task/
and allows the guest to signal them via tkill/tgkill.

Patch 1: Filters getdents/getdents64 on /proc/<pid>/task/
Patch 2: Validates tkill/tgkill targets against guest CPU list
Patch 3: Adds a multiarch test exercising both fixes

Signed-off-by: Ali Raza <elirazamumtaz@gmail.com>
---
Changes in v2:
- linux-user/syscall.c: use pid_t instead of long for the tid variable
  in do_getdents() and do_getdents64() (suggested by Helge Deller).
- linux-user/syscall.c: replace ad-hoc readlink-at-getdents check with
  fd_trans-based tagging at open time, eliminating a TOCTOU race and
  a broad-prefix match that also matched /proc/<pid>/task/<tid>/fd.
- linux-user/syscall.c (do_getdents, do_getdents64): retry sys_getdents
  when an entire host batch is filtered out, so the guest does not see
  a false EOF.
- linux-user/syscall.c (do_getdents, do_getdents64): parse the dirent
  TID with qemu_strtoi() instead of strtol() so out-of-range values
  cannot wrap silently into pid_t.
- linux-user/syscall.c (do_tkill): validate the guest tid range against
  pid_t and only reject signals whose target lives in our own host
  process and is not a guest thread (allow cross-process tkill to fall
  through to the kernel).
- linux-user/syscall.c (do_tgkill): drop the previous tgid==getpid()
  blanket rejection and apply the same in-our-process-only filter, so
  legitimate cross-process tgkill keeps working.
- tests/tcg/multiarch/linux-proc-task.c: hard-assert ESRCH on tkill to
  a non-guest tid, and add tgkill coverage (success on guest tids,
  ESRCH on a wrong tgid).
- Link to v1: https://lore.kernel.org/qemu-devel/20260415-master-v1-0-8dd2ef111eee@gmail.com

To: qemu-devel@nongnu.org
Cc: Laurent Vivier <laurent@vivier.eu>
Cc: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Cc: Alex Bennée <alex.bennee@linaro.org>

---
Ali Raza (3):
      linux-user: Filter /proc/*/task/ to hide QEMU-internal threads
      linux-user: Validate tkill/tgkill targets are guest threads
      tests/tcg: Add test for /proc/self/task/ filtering and tkill validation

 linux-user/fd-trans.c                       |   6 +
 linux-user/fd-trans.h                       |  18 ++
 linux-user/syscall.c                        | 353 +++++++++++++++++++++-------
 tests/tcg/multiarch/Makefile.target         |   2 +
 tests/tcg/multiarch/linux/linux-proc-task.c | 193 +++++++++++++++
 5 files changed, 492 insertions(+), 80 deletions(-)
---
base-commit: da6c4fe60fee30dd77267764d55b38af9cb89d4b
change-id: 20260415-master-3a0fa2ebf2d5

Best regards,
--  
Ali Raza <elirazamumtaz@gmail.com>