Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3431437imu; Sun, 11 Nov 2018 14:58:24 -0800 (PST) X-Google-Smtp-Source: AJdET5fBxvnUBDLF1jC1ww4s9o5pssPeD78bDsyi3sE9tqiyNBHVuntbItJYZi7XVZwmrCRJO8Tv X-Received: by 2002:a63:9e0a:: with SMTP id s10mr15573898pgd.239.1541977104568; Sun, 11 Nov 2018 14:58:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541977104; cv=none; d=google.com; s=arc-20160816; b=twY/ROqGPFDPgrs+fKns/TF+MugaTP12+7bJHBtg9GSe0nkI4v86q3jepihk5+BcUh DfKPelehGuayxikQvyUwLBpbMhHwSr6ArhZXUZfA0CN07RuP/FqMKirzRowuebZOjqdp JBhqH3NqtowHpbdJU1LzqY45pVrRBNvALtJ172veuX6RSlpHFo9YYrfCTdCMd6c9rJp6 2DF411/O5NK8ENoVXHr/JSkGEismEKsvIr4cjO5vTBxTbD3yMnkZXXxj7ykfNlsbJYJZ gr2zEUGqN/67qK7L8KkEB0jiqI90BOQ3IlXkKZ/EF2EilpP4xKSzfH35eYgwVB22EYY1 t+wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=d/3wCLn0YHMKZMziB12HIPpC+CN7Vk6bqcCftCbBveE=; b=Ot8AzueN5u/nxHXZDfB8j84LSRTilqlaB58z++rDlG2X3UPxhQambzJ29y/6CINKwS 3846IKgrtuU9mj1DB/NiBSd10WwyPOmWC+Aixa7Pi7ojmYsrkaqvX094zm4v0yY3hsJZ KhfuzFp9q7RG+tyopran9nyrh3SUy6wt6/qVrlk1NbQANT4c9g2wVgakLw+fbQwH2dP/ aNhO3Cqfq/Pn3MnWuXopwjpslMjHE0ODoaAwCRcuWAP8KemGM5EwPktkFrqtrA6UwG1U k4mtN4wkKypLI2meRCOTi2DhREXLDi8xxCoMQ7xjsJd4ytcORnYP14UogFA3OKZOKYRz 4tHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=03qFNxQB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a123-v6si13821117pgc.219.2018.11.11.14.58.09; Sun, 11 Nov 2018 14:58:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=03qFNxQB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403879AbeKLIWv (ORCPT + 99 others); Mon, 12 Nov 2018 03:22:51 -0500 Received: from mail.kernel.org ([198.145.29.99]:54602 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729476AbeKLIWv (ORCPT ); Mon, 12 Nov 2018 03:22:51 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 912AD22353; Sun, 11 Nov 2018 22:32:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975573; bh=owcmn8Da8IiL6swhfcx8otGtnEODOUfi2fgk7Z8Ap7c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=03qFNxQBzqP5qWZbPUUK3WQCHG8LgGfGyFagxlKVGRz7Z2AqTJUQgPUTXG9dejpFl Uf7xczhFaQDkV93jOZlrbRUPS1X4lV+LeU7rxbL7OVsXUbRXomJOkwGp4ASxnsNa/v YiMo/VuIwgD/RkwnVwoGyFbLAeZEMb/AhxDBSwKM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Eric W. Biederman" Subject: [PATCH 4.14 150/222] signal: Guard against negative signal numbers in copy_siginfo_from_user32 Date: Sun, 11 Nov 2018 14:24:07 -0800 Message-Id: <20181111221700.815082705@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221647.665769131@linuxfoundation.org> References: <20181111221647.665769131@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit a36700589b85443e28170be59fa11c8a104130a5 upstream. While fixing an out of bounds array access in known_siginfo_layout reported by the kernel test robot it became apparent that the same bug exists in siginfo_layout and affects copy_siginfo_from_user32. The straight forward fix that makes guards against making this mistake in the future and should keep the code size small is to just take an unsigned signal number instead of a signed signal number, as I did to fix known_siginfo_layout. Cc: stable@vger.kernel.org Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic") Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- include/linux/signal.h | 2 +- kernel/signal.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/include/linux/signal.h +++ b/include/linux/signal.h @@ -34,7 +34,7 @@ enum siginfo_layout { #endif }; -enum siginfo_layout siginfo_layout(int sig, int si_code); +enum siginfo_layout siginfo_layout(unsigned sig, int si_code); /* * Define some primitives to manipulate sigset_t. --- a/kernel/signal.c +++ b/kernel/signal.c @@ -2700,7 +2700,7 @@ COMPAT_SYSCALL_DEFINE2(rt_sigpending, co } #endif -enum siginfo_layout siginfo_layout(int sig, int si_code) +enum siginfo_layout siginfo_layout(unsigned sig, int si_code) { enum siginfo_layout layout = SIL_KILL; if ((si_code > SI_USER) && (si_code < SI_KERNEL)) {