lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <87h8hdzajh.fsf@xmission.com>
Date:   Mon, 22 Oct 2018 21:01:06 -0500
From:   ebiederm@...ssion.com (Eric W. Biederman)
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     <linux-kernel@...r.kernel.org>, <linux-api@...r.kernel.org>
Subject: [GIT PULL] siginfo updates for 4.20-rc1


Linus,

Please pull the siginfo-linus branch from the git tree:

   git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git siginfo-linus

   HEAD: a36700589b85443e28170be59fa11c8a104130a5 signal: Guard against negative signal numbers in copy_siginfo_from_user32

I have been slowly sorting out siginfo and this is the culmination of that work.

The primary result is in several ways the signal infrastructure has been made
less error prone.  The code has been updated so that manually specifying
SEND_SIG_FORCED is never necessary.  The conversion to the new siginfo sending
functions is now complete, which makes it difficult to send a signal without
filling in the proper siginfo fields.

At the tail end of the patchset comes the optimization of decreasing the size of
struct siginfo in the kernel from 128 bytes to about 48 bytes on 64bit.  The
fundamental observation that enables this is by definition none of the known
ways to use struct siginfo uses the extra bytes.

This comes at the cost of a small user space observable difference.  For the
rare case of siginfo being injected into the kernel only what can be copied
into kernel_siginfo is delivered to the destination, the rest of the bytes are
set to 0.  For cases where the signal and the si_code are known this is safe,
because we know thos bytes are not used.  For cases where the signal and si_code
combination is unknown the bits that won't fit into struct kernel_siginfo are
tested to verify they are zero, and the send fails if they are not.

I made an extensive search through userspace code and I could not find anything
that would break because of the above change.  If it turns out I did break
something it will take just the revert of a single change to restore
kernel_siginfo to the same size as userspace siginfo.

Testing did reveal dependencies on preferring the signo passed to sigqueueinfo
over si->signo, so bit the bullet and added the complexity necessary to handle
that case.

Testing also revealed bad things can happen if a negative signal number is
passed into the system calls.  Something no sane application will do but
something a malicious program or a fuzzer might do.  So I have fixed the code
that performs the bounds checks to ensure negative signal numbers are handled.


There are minor conflicts between this tree and several other trees.
- The x86 tree
- The y2038 tree
- The arm64 tree
- The x86 tip tree

I think only the resolution of the x86 tip tree is at all difficult.  None of
the conflicts are fundamental.  They are all from changes to other parts of the
code that are just close enough to have context conflicts.  The x86 tip tree
conflict actually involves a conflict from removing a unnecessary pkey parameter
on the siginfo side and a some small refactoring on the x86 side.

Eric W. Biederman (80):
      signal: Always ignore SIGKILL and SIGSTOP sent to the global init
      signal: Properly deliver SIGILL from uprobes
      signal: Properly deliver SIGSEGV from x86 uprobes
      signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init
      signal: send_sig_all no longer needs SEND_SIG_FORCED
      signal: Remove the siginfo paramater from kernel_dqueue_signal
      signal: Don't send siginfo to kthreads.
      signal: Never allocate siginfo for SIGKILL or SIGSTOP
      signal: Use SEND_SIG_PRIV not SEND_SIG_FORCED with SIGKILL and SIGSTOP
      signal: Remove SEND_SIG_FORCED
      signal/GenWQE: Fix sending of SIGKILL
      tty_io: Use group_send_sig_info in __do_SACK to note it is a session being killed
      signal: Use group_send_sig_info to kill all processes in a pid namespace
      signal: Remove specific_send_sig_info
      signal: Pair exports with their functions
      signal: Simplify tracehook_report_syscall_exit
      signal/x86: Inline fill_sigtrap_info in it's only caller send_sigtrap
      signal/x86: Move MCE error reporting out of force_sig_info_fault
      signal/x86: Use send_sig_mceerr as apropriate
      signal/x86: In trace_mpx_bounds_register_exception add __user annotations
      signal/x86: Move mpx siginfo generation into do_bounds
      signal/x86/traps: Factor out show_signal
      signal/x86/traps: Move more code into do_trap_no_signal so it can be reused
      signal/x86/traps: Use force_sig_bnderr
      signal/x86/traps: Use force_sig instead of open coding it.
      signal/x86/traps: Simplify trap generation
      signal/x86: Remove pkey parameter from bad_area_nosemaphore
      signal/x86: Remove the pkey parameter from do_sigbus
      signal/x86: Remove pkey parameter from mm_fault_error
      signal/x86: Don't compute pkey in __do_page_fault
      signal/x86: Pass pkey not vma into __bad_area
      signal/x86: Call force_sig_pkuerr from __bad_area_nosemaphore
      signal/x86: Replace force_sig_info_fault with force_sig_fault
      signal/x86: Pass pkey by value
      signal/x86: Use force_sig_fault where appropriate
      signal/powerpc: Use force_sig_mceerr as appropriate
      signal/powerpc: Remove pkey parameter from __bad_area
      signal/powerpc: Call _exception_pkey directly from bad_key_fault_exception
      signal/powerpc: Remove pkey parameter from __bad_area_nosemaphore
      signal/powerpc: Factor the common exception code into exception_common
      signal/powerpc: Call force_sig_fault from _exception
      signal/powerpc: Specialize _exception_pkey for handling pkey exceptions
      signal/powerpc: Simplify _exception_pkey by using force_sig_pkuerr
      signal/powerpc: Use force_sig_fault where appropriate
      signal/arm64: Push siginfo generation into arm64_notify_die
      signal/arm64: Remove unneeded tsk parameter from arm64_force_sig_info
      signal/arm64: Factor out arm64_show_signal from arm64_force_sig_info
      signal/arm64: Factor set_thread_esr out of __do_user_fault
      signal/arm64: Consolidate the two hwpoison cases in do_page_fault
      signal/arm64: For clarity separate the 3 signal sending cases in do_page_fault
      signal/arm64: Expand __do_user_fault and remove it
      signal/arm64: Only perform one esr_to_fault_info call in do_page_fault
      signal/arm64: Only call set_thread_esr once in do_page_fault
      signal/arm64: Add and use arm64_force_sig_fault where appropriate
      signal/arm64: Add and use arm64_force_sig_mceerr as appropriate
      signal/arm64: Remove arm64_force_sig_info
      signal/arm64: In ptrace_hbptriggered name the signal description string
      signal/arm64: Add and use arm64_force_sig_ptrace_errno_trap
      signal/arm64: Use send_sig_fault where appropriate
      signal/arm: Push siginfo generation into arm_notify_die
      signal/arm: Use force_sig_fault where appropriate
      signal/arm: Use send_sig_fault where appropriate
      signal/arm/kvm: Use send_sig_mceerr
      signal/ia64: Use the generic force_sigsegv in setup_frame
      signal/ia64: Use the force_sig(SIGSEGV,...) in ia64_rt_sigreturn
      signal/ia64: Use force_sig_fault where appropriate
      signal/arc: Push siginfo generation into unhandled_exception
      signal/arc: Use force_sig_fault where appropriate
      signal/unicore32: Use send_sig_fault where appropriate
      signal/unicore32: Generate siginfo in ucs32_notify_die
      signal/unicore32: Use force_sig_fault where appropriate
      signal/sparc: Move EMT_TAGOVF into the generic siginfo.h
      signal: Fail sigqueueinfo if si_signo != sig
      signal: Remove the need for __ARCH_SI_PREABLE_SIZE and SI_PAD_SIZE
      signal: Introduce copy_siginfo_from_user and use it's return value
      signal: Distinguish between kernel_siginfo and siginfo
      signal: Use a smaller struct siginfo in the kernel
      signal: In sigqueueinfo prefer sig not si_signo
      signal: Guard against negative signal numbers in copy_siginfo_from_user
      signal: Guard against negative signal numbers in copy_siginfo_from_user32

 arch/alpha/include/uapi/asm/siginfo.h        |   1 -
 arch/arc/kernel/traps.c                      |  22 +-
 arch/arc/mm/fault.c                          |  20 +-
 arch/arm/include/asm/bug.h                   |   4 +-
 arch/arm/kernel/ptrace.c                     |  11 +-
 arch/arm/kernel/swp_emulate.c                |  16 +-
 arch/arm/kernel/traps.c                      |  63 ++--
 arch/arm/mm/alignment.c                      |  10 +-
 arch/arm/mm/fault.c                          |  28 +-
 arch/arm/vfp/vfpmodule.c                     |  11 +-
 arch/arm64/include/asm/system_misc.h         |   3 +-
 arch/arm64/include/asm/traps.h               |   5 +-
 arch/arm64/include/uapi/asm/Kbuild           |   1 +
 arch/arm64/include/uapi/asm/siginfo.h        |  24 --
 arch/arm64/kernel/debug-monitors.c           |  11 +-
 arch/arm64/kernel/fpsimd.c                   |  10 +-
 arch/arm64/kernel/ptrace.c                   |  16 +-
 arch/arm64/kernel/sys_compat.c               |  13 +-
 arch/arm64/kernel/traps.c                    |  67 ++---
 arch/arm64/mm/fault.c                        |  94 +++---
 arch/ia64/include/uapi/asm/siginfo.h         |   2 -
 arch/ia64/kernel/brl_emu.c                   |  31 +-
 arch/ia64/kernel/signal.c                    |  60 +---
 arch/ia64/kernel/traps.c                     | 144 +++------
 arch/ia64/kernel/unaligned.c                 |  12 +-
 arch/ia64/mm/fault.c                         |  12 +-
 arch/mips/include/uapi/asm/siginfo.h         |  11 -
 arch/parisc/include/uapi/asm/Kbuild          |   1 +
 arch/parisc/include/uapi/asm/siginfo.h       |  11 -
 arch/powerpc/include/asm/bug.h               |   2 +-
 arch/powerpc/include/asm/ptrace.h            |   2 +-
 arch/powerpc/include/uapi/asm/Kbuild         |   1 +
 arch/powerpc/include/uapi/asm/siginfo.h      |  18 --
 arch/powerpc/kernel/process.c                |   9 +-
 arch/powerpc/kernel/traps.c                  |  34 +--
 arch/powerpc/mm/fault.c                      |  55 ++--
 arch/powerpc/platforms/cell/spu_base.c       |   4 +-
 arch/powerpc/platforms/cell/spufs/fault.c    |  26 +-
 arch/riscv/include/uapi/asm/Kbuild           |   1 +
 arch/riscv/include/uapi/asm/siginfo.h        |  24 --
 arch/s390/include/uapi/asm/Kbuild            |   1 +
 arch/s390/include/uapi/asm/siginfo.h         |  17 --
 arch/sparc/include/uapi/asm/siginfo.h        |   7 -
 arch/unicore32/include/asm/bug.h             |   3 +-
 arch/unicore32/kernel/fpu-ucf64.c            |  12 +-
 arch/unicore32/kernel/traps.c                |   5 +-
 arch/unicore32/mm/fault.c                    |  27 +-
 arch/x86/entry/vsyscall/vsyscall_64.c        |   9 +-
 arch/x86/include/asm/compat.h                |   2 +-
 arch/x86/include/asm/mpx.h                   |  12 +-
 arch/x86/include/asm/ptrace.h                |   2 +-
 arch/x86/include/asm/trace/mpx.h             |   4 +-
 arch/x86/include/uapi/asm/siginfo.h          |   2 -
 arch/x86/kernel/ptrace.c                     |  29 +-
 arch/x86/kernel/traps.c                      | 176 +++++------
 arch/x86/kernel/umip.c                       |   8 +-
 arch/x86/kernel/uprobes.c                    |   2 +-
 arch/x86/kvm/mmu.c                           |  11 +-
 arch/x86/mm/fault.c                          | 167 ++++-------
 arch/x86/mm/mpx.c                            |  30 +-
 drivers/misc/genwqe/card_base.h              |   2 +-
 drivers/misc/genwqe/card_dev.c               |   9 +-
 drivers/tty/sysrq.c                          |   2 +-
 drivers/tty/tty_io.c                         |   6 +-
 drivers/usb/core/devio.c                     |   4 +-
 drivers/usb/gadget/function/f_mass_storage.c |   4 +-
 fs/binfmt_elf.c                              |   6 +-
 fs/coredump.c                                |   2 +-
 fs/fcntl.c                                   |   2 +-
 fs/jffs2/background.c                        |   2 +-
 fs/signalfd.c                                |   6 +-
 include/linux/binfmts.h                      |   2 +-
 include/linux/compat.h                       |   4 +-
 include/linux/coredump.h                     |   4 +-
 include/linux/lsm_hooks.h                    |   4 +-
 include/linux/posix-timers.h                 |   2 +-
 include/linux/ptrace.h                       |  17 +-
 include/linux/sched.h                        |   2 +-
 include/linux/sched/signal.h                 |  23 +-
 include/linux/security.h                     |   6 +-
 include/linux/signal.h                       |  18 +-
 include/linux/signal_types.h                 |   8 +-
 include/linux/tracehook.h                    |  13 +-
 include/trace/events/signal.h                |   7 +-
 include/uapi/asm-generic/siginfo.h           | 193 ++++++------
 ipc/mqueue.c                                 |   2 +-
 kernel/events/uprobes.c                      |   4 +-
 kernel/pid_namespace.c                       |   2 +-
 kernel/ptrace.c                              |  26 +-
 kernel/seccomp.c                             |   6 +-
 kernel/signal.c                              | 421 +++++++++++++++++----------
 kernel/time/posix-timers.c                   |   2 +-
 mm/oom_kill.c                                |   4 +-
 security/apparmor/lsm.c                      |   2 +-
 security/security.c                          |   2 +-
 security/selinux/hooks.c                     |   2 +-
 security/smack/smack_lsm.c                   |   2 +-
 virt/kvm/arm/mmu.c                           |  14 +-
 98 files changed, 925 insertions(+), 1328 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ