lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070126100801.GA94@tv-sign.ru>
Date:	Fri, 26 Jan 2007 13:08:01 +0300
From:	Oleg Nesterov <oleg@...sign.ru>
To:	S?bastien Dugu? <sebastien.dugue@...l.net>
Cc:	Zach Brown <zach.brown@...cle.com>,
	Suparna Bhattacharya <suparna@...ibm.com>,
	Benjamin LaHaise <bcrl@...ck.org>,
	Ulrich Drepper <drepper@...hat.com>,
	Ingo Molnar <mingo@...e.hu>,
	Thomas Gleixner <tglx@...utronix.de>,
	Andrew Morton <akpm@...l.org>, linux-kernel@...r.kernel.org
Subject: Re: + make-good_sigevent-non-static.patch added to -mm tree

On 01/26, S?bastien Dugu? wrote:
>
> On Thu, 25 Jan 2007 18:43:24 +0300 Oleg Nesterov <oleg@...sign.ru> wrote:
> 
> > SИbastien DuguИ wrote:
> > >
> > > +struct task_struct *good_sigevent(sigevent_t *event)
> > > +{
> > > +	struct task_struct *task = current->group_leader;
> > > +
> > > +	if ((event->sigev_notify & SIGEV_THREAD_ID) == SIGEV_THREAD_ID) {
> > > +		task = find_task_by_pid(event->sigev_notify_thread_id);
> > > +
> > > +		if (!task || task->tgid != current->tgid)
> > > +			return NULL;
> > > +	} else if (event->sigev_notify == SIGEV_SIGNAL) {
> > 
> > No, no, we can't use "else" here,
> > 
> > > +		if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX)
> > 
> > because we skip the check above in SIGEV_THREAD_ID case.
> 
>   Right, will fix this.
> 
> > 
> > This way any user can crash the kernel with a minimal effort.
> 
>   Well I tried, no crash, just the signal failing to be delivered.

	sigaddset:

		set->sig[sig / _NSIG_BPW] |= 1UL << (sig % _NSIG_BPW);

This writes to ->sig[event->sigev_signo / _NSIG_BPW] location, so we can
corrupt the memory if ->sigev_signo > _NSIG.

Btw, since you are exporting this function, may I suggest to rename it?
No, I can't suggest a better name :) But "good_sigevent" is a bit confusing
imho.

Oleg.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ