lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87ldzd1ahb.fsf@email.froward.int.ebiederm.org>
Date: Fri, 27 Sep 2024 08:40:00 -0500
From: "Eric W. Biederman" <ebiederm@...ssion.com>
To: Thomas Gleixner <tglx@...utronix.de>
Cc: LKML <linux-kernel@...r.kernel.org>,  Anna-Maria Behnsen
 <anna-maria@...utronix.de>,  Frederic Weisbecker <frederic@...nel.org>,
  John Stultz <jstultz@...gle.com>,  Peter Zijlstra <peterz@...radead.org>,
  Ingo Molnar <mingo@...nel.org>,  Stephen Boyd <sboyd@...nel.org>,  Oleg
 Nesterov <oleg@...hat.com>
Subject: Re: [patch v4 02/27] signal: Prevent user space from setting
 si_sys_private

Thomas Gleixner <tglx@...utronix.de> writes:

> From: Thomas Gleixner <tglx@...utronix.de>
>
> The si_sys_private member of siginfo is used to handle posix-timer rearming
> from the signal delivery path. Prevent user space from setting it as that
> creates inconsistent state.
>
> Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
> Acked-by: Peter Zijlstra (Intel) <peterz@...radead.org>
>
> ---
>  kernel/signal.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> ---
> diff --git a/kernel/signal.c b/kernel/signal.c
> index a83ea99f9389..7706cd304785 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -3354,6 +3354,14 @@ int copy_siginfo_to_user(siginfo_t __user *to, const kernel_siginfo_t *from)
>  static int post_copy_siginfo_from_user(kernel_siginfo_t *info,
>  				       const siginfo_t __user *from)
>  {
> +	/*
> +	 * Clear the si_sys_private field for timer signals as that's the
> +	 * indicator for rearming a posix timer. User space submitted
> +	 * signals are not allowed to inject that.
> +	 */
> +	if (info->si_code == SI_TIMER)
> +		info->si_sys_private = 0;
> +
>  	if (unlikely(!known_siginfo_layout(info->si_signo, info->si_code))) {
>  		char __user *expansion = si_expansion(from);
>  		char buf[SI_EXPANSION_SIZE];


Can we do this differently for maintainability?  The siginfo union sucks
to deal with.

Can we place this test after the !known_siginfo_layout test.

Can you further make the case say something like:

	if ((siginfo_layout(info->si_signo, info->si_code) == SIL_TIMER) &&
            (info->si_sys_private != 0)) {
		return -EINVAL?
        }


Using siginfo_layout is slightly more expensive but it will catch any
future oddness that comes up, and I don't think signal injection is a path
where we need to optimize every last cycle.

Unless we expect userspace to be injecting signals with
info->si_sys_private set to non-zero (and we need to maintain backwards
comparability) it is probably better to simply error.

I unfortunately overlooked this corner case when I cleaned up signal
copying.

Eric




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ