lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BANLkTikB7nz_HKUWOZfGERmh+xSy9Uh0mg@mail.gmail.com>
Date:	Mon, 28 Mar 2011 14:24:57 -0700
From:	Julien Tinnes <jln@...gle.com>
To:	Roland Dreier <roland@...nel.org>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, Oleg Nesterov <oleg@...hat.com>,
	Klaus Dittrich <kladit@...or.de>
Subject: Re: [PATCH v2] Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo

Ohh, good catch!

It's not ideal that we have to relax this check, but as long as kernel
codes, SI_USER and SI_TKILL are not spoofable, I think we're in ok
shape.

Thanks,

Julien

On Mon, Mar 28, 2011 at 2:13 PM, Roland Dreier <roland@...nel.org> wrote:
> From: Roland Dreier <roland@...estorage.com>
>
> Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo
> from spoofing the signal code") made the check on si_code too strict.
> There are several legitimate places where glibc wants to queue a
> negative si_code different from SI_QUEUE:
>
>  - This was first noticed with glibc's aio implementation, which wants
>   to queue a signal with si_code SI_ASYNCIO; the current kernel
>   causes glibc's tst-aio4 test to fail because rt_sigqueueinfo()
>   fails with EPERM.
>
>  - Further examination of the glibc source shows that getaddrinfo_a()
>   wants to use SI_ASYNCNL (which the kernel does not even define).
>   The timer_create() fallback code wants to queue signals with SI_TIMER.
>
> As suggested by Oleg Nesterov <oleg@...hat.com>, loosen the check to
> forbid only the problematic SI_TKILL case.
>
> Reported-by: Klaus Dittrich <kladit@...or.de>
> Cc: <stable@...nel.org>
> Signed-off-by: Roland Dreier <roland@...estorage.com>
> ---
>  kernel/signal.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 324eff5..b2bfa3a 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -2437,7 +2437,7 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
>        /* Not even root can pretend to send signals from the kernel.
>         * Nor can they impersonate a kill()/tgkill(), which adds source info.
>         */
> -       if (info.si_code != SI_QUEUE) {
> +       if (info.si_code >= 0 || info.si_code == SI_TKILL) {
>                /* We used to allow any < 0 si_code */
>                WARN_ON_ONCE(info.si_code < 0);
>                return -EPERM;
> @@ -2457,7 +2457,7 @@ long do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info)
>        /* Not even root can pretend to send signals from the kernel.
>         * Nor can they impersonate a kill()/tgkill(), which adds source info.
>         */
> -       if (info->si_code != SI_QUEUE) {
> +       if (info->si_code >= 0 || info->si_code == SI_TKILL) {
>                /* We used to allow any < 0 si_code */
>                WARN_ON_ONCE(info->si_code < 0);
>                return -EPERM;
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ