Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3475131imu; Sun, 11 Nov 2018 15:58:07 -0800 (PST) X-Google-Smtp-Source: AJdET5dfhdKOCfdnI6yWm7/nRmMJ+A4WbBiuCZJAFPaxIp0xKO4tDjhM1s+qdOKmGKmQKG4m1+6z X-Received: by 2002:a17:902:c5:: with SMTP id a63-v6mr17869028pla.201.1541980687240; Sun, 11 Nov 2018 15:58:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541980687; cv=none; d=google.com; s=arc-20160816; b=KvQod0ExL4ZKv9M/EJZ2KFYnOnbH9BmIlu7iV3tJVGBMSE0JjFGgRumBI9kMrjMpy9 Qy8fqV6PJ3tkhmf26pmPINkAk8jLJrKUkLSYsyWf3xgnRcAD8oKw9wACJGPYUWTWzpoc hBei2CJlOk+mXjXWgGB7obPA4H9CfFna492uEHShtiCQtcvCevwf8pJ0ryxsDk6LOUKS l7QsJJKdKbgd13Ejz5OWm4S60vPN+vwL92XjnT8nu2NxZgp64pRh8l4Of9CKpZTXzNJB igTUw+/c+IfvXXAUlOifdSnfr5dGh0EKVCLbAZFaic3eXeOr58Bh3C6eOy8y6cTUqixo eijQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=3HuLxA41Z6qtLLnsgKWw+DMn8UR+KV6f46UZag6EZ7I=; b=ArDE4G7NfUHiYpnRK0Npm0HYslaImXkCwKEDLqu6k5/mMQv+8voGmGluI8SJkLvNxH Mu3XiWsdBjgpvGMGz0D/x+tsZj6KaVJOJOoGkVzBhnaWS2YnLlVrR4v4kYYBh1MabxaS JUE37NKZqo0jF0gLH2VBkUiOvnEKlksOnrHFfkzJPgJJvn91ZJo50GgT/LZDAIy387qH sWg+hjgsyNciRS7ZCBpbYTjKYuwMxamEb5fSfDkFh302g+sgaSyUgBuPZgNJd/5cYDoz iel2zI3IxACdBenUSKAouPcNRUFl2/80lXt8ZE4TwFm+GZh7JmtRitd1466UstP3pA9q Okkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rtKI0SVe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6si15629354pgn.258.2018.11.11.15.57.52; Sun, 11 Nov 2018 15:58:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rtKI0SVe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732692AbeKLJrz (ORCPT + 99 others); Mon, 12 Nov 2018 04:47:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:35336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732425AbeKLISK (ORCPT ); Mon, 12 Nov 2018 03:18:10 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7407421104; Sun, 11 Nov 2018 22:28:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975294; bh=p/GEQ0muYnTY6+xMCPUrOkJ4rRW6+Q/I92w0fczDXlg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rtKI0SVeFqN4cS4t/LgHDZw34gBknbvNPyDHdeOAIa/lj02ArVHKxE+QGvvSEWg56 8dYnTVRLg+SyqQEXQO/4KM6+5wMR6sB5MWqofLDR4fgX7LMa/yUVixnX8UWK90rHKO gEe1Ky5wxspZm3sX5qQG3Vc5QOJT2m5vtpUYr+oU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Eric W. Biederman" Subject: [PATCH 4.19 241/361] signal: Guard against negative signal numbers in copy_siginfo_from_user32 Date: Sun, 11 Nov 2018 14:19:48 -0800 Message-Id: <20181111221652.351797524@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221619.915519183@linuxfoundation.org> References: <20181111221619.915519183@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit a36700589b85443e28170be59fa11c8a104130a5 upstream. While fixing an out of bounds array access in known_siginfo_layout reported by the kernel test robot it became apparent that the same bug exists in siginfo_layout and affects copy_siginfo_from_user32. The straight forward fix that makes guards against making this mistake in the future and should keep the code size small is to just take an unsigned signal number instead of a signed signal number, as I did to fix known_siginfo_layout. Cc: stable@vger.kernel.org Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic") Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- include/linux/signal.h | 2 +- kernel/signal.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/include/linux/signal.h +++ b/include/linux/signal.h @@ -36,7 +36,7 @@ enum siginfo_layout { SIL_SYS, }; -enum siginfo_layout siginfo_layout(int sig, int si_code); +enum siginfo_layout siginfo_layout(unsigned sig, int si_code); /* * Define some primitives to manipulate sigset_t. --- a/kernel/signal.c +++ b/kernel/signal.c @@ -2847,7 +2847,7 @@ COMPAT_SYSCALL_DEFINE2(rt_sigpending, co } #endif -enum siginfo_layout siginfo_layout(int sig, int si_code) +enum siginfo_layout siginfo_layout(unsigned sig, int si_code) { enum siginfo_layout layout = SIL_KILL; if ((si_code > SI_USER) && (si_code < SI_KERNEL)) {