Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp87067imm; Thu, 4 Oct 2018 23:51:42 -0700 (PDT) X-Google-Smtp-Source: ACcGV60mxxEQaBtbv/qYLjJDbYGx0LgMiE6xZoAcA0sMEc2KBt7+p5ePyr4NDUqyMfLISjQKGj0c X-Received: by 2002:a62:1985:: with SMTP id 127-v6mr10169475pfz.51.1538722302459; Thu, 04 Oct 2018 23:51:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538722302; cv=none; d=google.com; s=arc-20160816; b=JImI+T1K8svm6Iw/RW7rug76Cdo3lfHpLkaJt6A+077z+QENzj/UED4RHwaLoCpHCJ az3ap9hsZd/0pu6p3dS8QZkOemDGHgJGRGkjRIqu/dPNflYh04Dou35YZt/rRWv7C4m3 Hm2evsMaSJzN91M0ZGz2aVj4QU4dV72eAAJrvlz66yWOpV6hbMeiiTPkQ6qPW1lCI2vP cMkMZtF5fDTD5EyVTayaH4zkq1+Tiw8UYVaBhPuGgGh+qzP2rtPsLcdwcf5hhfJ2l7NA 396x5st7cHZuUtNgfwuYnjySbfgbfW6UUPfInRTCPxO55ZW0GxR/I88fGfrSkudltUKf y4Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=Cy8+sjDBv/oqDgzW4xK1UORluVunmmNREI83UpJ4dls=; b=IipUXMwrY8bdbLyhLEMq83Mif/GgScqI/L+i5Vh292a6k8sWdpKg856Io0rWcA1VlE yBJYEB0I5JzlP1HfTvCpyUv7NhP0ZvhNbLQoXJjAIye5L+Gdw+tKkcPKGwP+nzpOQhoP 3Ur6JQoZ7m48yB/A97CTZNJV9LNibKNY+np7anMtqiEMwqDlFvF1uiTT4H1MQMdxF4S7 l1TdmmNqpVh/opqBuWJRVOwMDyBAinV06Pvak/jiukB6f30/OQiYQ8sN0bs8PzkrKMNX Xx86an1mw7RpOoKbmLEPBpNFrBSDMXUBcJ4VXWZ8m2+8YBgxfutdBk72DzuS6tvVz+G1 9jJw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c197-v6si7944744pfc.74.2018.10.04.23.51.25; Thu, 04 Oct 2018 23:51:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727615AbeJENsi (ORCPT + 99 others); Fri, 5 Oct 2018 09:48:38 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:50592 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726732AbeJENsh (ORCPT ); Fri, 5 Oct 2018 09:48:37 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1g8JxH-00054o-S5; Fri, 05 Oct 2018 00:51:19 -0600 Received: from [105.184.227.67] (helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1g8Jx1-0005ds-WD; Fri, 05 Oct 2018 00:51:19 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Andrei Vagin Cc: linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, Oleg Nesterov , Linus Torvalds References: <87h8idv6nw.fsf@xmission.com> <20180925171906.19683-2-ebiederm@xmission.com> <20181005060611.GA19061@gmail.com> Date: Fri, 05 Oct 2018 08:50:51 +0200 In-Reply-To: <20181005060611.GA19061@gmail.com> (Andrei Vagin's message of "Thu, 4 Oct 2018 23:06:13 -0700") Message-ID: <878t3cc2es.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1g8Jx1-0005ds-WD;;;mid=<878t3cc2es.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=105.184.227.67;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18wd0mkbE5FO84R47u405DfzW4q+NGHqvc= X-SA-Exim-Connect-IP: 105.184.227.67 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa06.xmission.com X-Spam-Level: *** X-Spam-Status: No, score=3.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TR_Symld_Words,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01, T_TooManySym_02,T_TooManySym_03,XMNoVowels,XMSubLong autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 1.5 TR_Symld_Words too many words that have symbols inside * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_03 6+ unique symbols in subject * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;Andrei Vagin X-Spam-Relay-Country: X-Spam-Timing: total 15030 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 2.8 (0.0%), b_tie_ro: 2.0 (0.0%), parse: 1.14 (0.0%), extract_message_metadata: 15 (0.1%), get_uri_detail_list: 3.7 (0.0%), tests_pri_-1000: 2.8 (0.0%), tests_pri_-950: 1.27 (0.0%), tests_pri_-900: 1.04 (0.0%), tests_pri_-400: 30 (0.2%), check_bayes: 28 (0.2%), b_tokenize: 9 (0.1%), b_tok_get_all: 9 (0.1%), b_comp_prob: 3.5 (0.0%), b_tok_touch_all: 3.8 (0.0%), b_finish: 0.67 (0.0%), tests_pri_-100: 7 (0.0%), check_dkim_signature: 0.57 (0.0%), check_dkim_adsp: 3.2 (0.0%), tests_pri_0: 263 (1.7%), tests_pri_10: 2.9 (0.0%), tests_pri_500: 14701 (97.8%), poll_dns_idle: 14688 (97.7%), rewrite_mail: 0.00 (0.0%) Subject: Re: [REVIEW][PATCH 2/6] signal: Fail sigqueueinfo if si_signo != sig X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andrei Vagin writes: > On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote: >> The kernel needs to validate that the contents of struct siginfo make >> sense as siginfo is copied into the kernel, so that the proper union >> members can be put in the appropriate locations. The field si_signo >> is a fundamental part of that validation. As such changing the >> contents of si_signo after the validation make no sense and can result >> in nonsense values in the kernel. > > Accoding to the man page, the user should not set si_signo, it has to be set > by kernel. I wanted to say look at copy_siginfo_from_user32 it uses si_signo and it has always done so. But before I got to fixing copy_siginfo_from_user32 only looked at si_code. This is one of the areas where we deliberately slightly changed the KABI. To start looking an signo instead of magic kernel internal si_code values. So yes. Looking at si_signo instead of the passed in signo appears to be a regression all of the way around (except for ptrace) where that value is not present. So I will see if I can figure out how to refactor the code to accomplish that. I am travelling for the next couple of days so I won't be able to get to this for a bit. I am thinking I will need two version of copy_siginfo_from user now. One for ptrace and one for rt_sgiqueueinfo. Sigh. > $ man 2 rt_sigqueueinfo > > The uinfo argument specifies the data to accompany the signal. This > argument is a pointer to a structure of type siginfo_t, described in > sigaction(2) (and defined by including ). The caller > should set the following fields in this structure: > > si_code > This must be one of the SI_* codes in the Linux kernel source > file include/asm-generic/siginfo.h, with the restriction that > the code must be negative (i.e., cannot be SI_USER, which is > used by the kernel to indicate a signal sent by kill(2)) and > cannot (since Linux 2.6.39) be SI_TKILL (which is used by the > kernel to indicate a signal sent using tgkill(2)). > > si_pid This should be set to a process ID, typically the process ID of > the sender. > > si_uid This should be set to a user ID, typically the real user ID of > the sender. > > si_value > This field contains the user data to accompany the signal. For > more information, see the description of the last (union sigval) > argument of sigqueue(3). > > Internally, the kernel sets the si_signo field to the value specified > in sig, so that the receiver of the signal can also obtain the signal > number via that field. > >> >> As such simply fail if someone is silly enough to set si_signo out of >> sync with the signal number passed to sigqueueinfo. >> >> I don't expect a problem as glibc's sigqueue implementation sets >> "si_signo = sig" and CRIU just returns to the kernel what the kernel >> gave to it. >> >> If there is some application that calls sigqueueinfo directly that has >> a problem with this added sanity check we can revisit this when we see >> what kind of crazy that application is doing. > > > I already know two "applications" ;) > > https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c > https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c > > Disclaimer: I'm the author of both of them. > >> >> Signed-off-by: "Eric W. Biederman" >> --- >> kernel/signal.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/kernel/signal.c b/kernel/signal.c >> index 7b49c31d3fdb..e445b0a63faa 100644 >> --- a/kernel/signal.c >> +++ b/kernel/signal.c >> @@ -3306,7 +3306,8 @@ static int do_rt_sigqueueinfo(pid_t pid, int sig, siginfo_t *info) >> (task_pid_vnr(current) != pid)) >> return -EPERM; >> >> - info->si_signo = sig; >> + if (info->si_signo != sig) >> + return -EINVAL; >> >> /* POSIX.1b doesn't mention process groups. */ >> return kill_proc_info(sig, info, pid); >> @@ -3354,7 +3355,8 @@ static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info) >> (task_pid_vnr(current) != pid)) >> return -EPERM; >> >> - info->si_signo = sig; >> + if (info->si_signo != sig) >> + return -EINVAL; >> >> return do_send_specific(tgid, pid, sig, info); >> }