Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp441665ybk; Wed, 13 May 2020 04:18:27 -0700 (PDT) X-Google-Smtp-Source: APiQypK1drWPc2xDX9LNtbKSGxr5Z0GUxJDMDUYIGY9xcEDYGaJnh1mwSqZ7LiaUDXLao1VCa4YR X-Received: by 2002:a17:906:31d7:: with SMTP id f23mr22457698ejf.59.1589368707586; Wed, 13 May 2020 04:18:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589368707; cv=none; d=google.com; s=arc-20160816; b=eHv+l7s5CM2nYOM2q+6yfRgEZTX9fQiFLWtYnFWFK+YSie0YZBP/+rx9jo/RQ0zb3G pXbfdzGVEpExCXclWfd13OueKv4eaoMBUE8YuJoK6CxYzxPNWr68QOLOvyv65yd7Ei5e y3JynW6etSeKDgce5oJzeu7MQ/TQObxGJYR0ze2/KPAyYp9k7+/JesvmIDRkiBI5nMVg vhDN15oOqGCmRjsomKxE7nJbsxS+/yRb+iYiA+FEP5Q2xUE3Ri60e0ymUo+98w2h39sh AqT9ru9KcVMk3jXHI+kVqKFQ6pijN6rTKbOm7fBWE1euPIXxdU9DT3q3tSGlYLJt1TkJ 2RJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rdM6tDcHbIGVzb0vvZRPmfiWOjZLIhor+slwCHW93tk=; b=aTqVA815ahOefJp8kan/QL/bomZAQia/NTiNIGoL48IFAXEULSLIW9rwjmMaBnYk9z uxxF+JtoTK4YL+9OIEXwMKhoRU/zw8kSrohm5+GsKjEOBjORaMVexifBjhAu9cJIZyv/ WkIQrQaZWLmu2ui1wUjc4hdzsUmVeOa4gcQ79UptE7eISEyzwGN67qvdcsDmgDT8mtn4 QU6yRpYOiQEoueIBHNqf+8Qs2jkjgB4U14qs/RoaNtK2X8v4Cfwv5ninAKiPPpv4Oxta d8lKVjSuKjk06WI6rhzqV4tTnIr1DhBkx1atk7T28o3RNIoKc7ytwnHEP770Hyylsj0O QwOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zW77SC+1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bi13si10019072edb.449.2020.05.13.04.18.05; Wed, 13 May 2020 04:18:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zW77SC+1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388131AbgEMJyi (ORCPT + 99 others); Wed, 13 May 2020 05:54:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:57148 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387655AbgEMJyg (ORCPT ); Wed, 13 May 2020 05:54:36 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5657E205ED; Wed, 13 May 2020 09:54:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363675; bh=1OeNgr0kGUcv+fOFi8Ga8SfHYKNOSW7hX+7O3AjZnV8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zW77SC+1XsHAOY2Mztvm0pEOOSCCAk6hf8PuJsZXtcXa2MYO1GqZEKvnJSU04176R /OjmYD8FdQO9T00wJK97HgEb1mlFTyO3HV748VDFx8pa1YmWlpYiChOd5xBG3c5dqP IRsLjU5rZHZcyVbOP7lfzV7Z3zTmFfz5/Z+Axcqc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yoji , Oleg Nesterov , Manfred Spraul , Andrew Morton , "Eric W. Biederman" , Davidlohr Bueso , Markus Elfring , 1vier1@web.de, Linus Torvalds Subject: [PATCH 5.6 081/118] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Date: Wed, 13 May 2020 11:45:00 +0200 Message-Id: <20200513094424.603765372@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094417.618129545@linuxfoundation.org> References: <20200513094417.618129545@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oleg Nesterov commit b5f2006144c6ae941726037120fa1001ddede784 upstream. Commit cc731525f26a ("signal: Remove kernel interal si_code magic") changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify() no longer works if the sender doesn't have rights to send a signal. Change __do_notify() to use do_send_sig_info() instead of kill_pid_info() to avoid check_kill_permission(). This needs the additional notify.sigev_signo != 0 check, shouldn't we change do_mq_notify() to deny sigev_signo == 0 ? Test-case: #include #include #include #include #include static int notified; static void sigh(int sig) { notified = 1; } int main(void) { signal(SIGIO, sigh); int fd = mq_open("/mq", O_RDWR|O_CREAT, 0666, NULL); assert(fd >= 0); struct sigevent se = { .sigev_notify = SIGEV_SIGNAL, .sigev_signo = SIGIO, }; assert(mq_notify(fd, &se) == 0); if (!fork()) { assert(setuid(1) == 0); mq_send(fd, "",1,0); return 0; } wait(NULL); mq_unlink("/mq"); assert(notified); return 0; } [manfred@colorfullife.com: 1) Add self_exec_id evaluation so that the implementation matches do_notify_parent 2) use PIDTYPE_TGID everywhere] Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic") Reported-by: Yoji Signed-off-by: Oleg Nesterov Signed-off-by: Manfred Spraul Signed-off-by: Andrew Morton Acked-by: "Eric W. Biederman" Cc: Davidlohr Bueso Cc: Markus Elfring Cc: <1vier1@web.de> Cc: Link: http://lkml.kernel.org/r/e2a782e4-eab9-4f5c-c749-c07a8f7a4e66@colorfullife.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- ipc/mqueue.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -142,6 +142,7 @@ struct mqueue_inode_info { struct sigevent notify; struct pid *notify_owner; + u32 notify_self_exec_id; struct user_namespace *notify_user_ns; struct user_struct *user; /* user who created, for accounting */ struct sock *notify_sock; @@ -774,28 +775,44 @@ static void __do_notify(struct mqueue_in * synchronously. */ if (info->notify_owner && info->attr.mq_curmsgs == 1) { - struct kernel_siginfo sig_i; switch (info->notify.sigev_notify) { case SIGEV_NONE: break; - case SIGEV_SIGNAL: - /* sends signal */ + case SIGEV_SIGNAL: { + struct kernel_siginfo sig_i; + struct task_struct *task; + + /* do_mq_notify() accepts sigev_signo == 0, why?? */ + if (!info->notify.sigev_signo) + break; clear_siginfo(&sig_i); sig_i.si_signo = info->notify.sigev_signo; sig_i.si_errno = 0; sig_i.si_code = SI_MESGQ; sig_i.si_value = info->notify.sigev_value; - /* map current pid/uid into info->owner's namespaces */ rcu_read_lock(); + /* map current pid/uid into info->owner's namespaces */ sig_i.si_pid = task_tgid_nr_ns(current, ns_of_pid(info->notify_owner)); - sig_i.si_uid = from_kuid_munged(info->notify_user_ns, current_uid()); + sig_i.si_uid = from_kuid_munged(info->notify_user_ns, + current_uid()); + /* + * We can't use kill_pid_info(), this signal should + * bypass check_kill_permission(). It is from kernel + * but si_fromuser() can't know this. + * We do check the self_exec_id, to avoid sending + * signals to programs that don't expect them. + */ + task = pid_task(info->notify_owner, PIDTYPE_TGID); + if (task && task->self_exec_id == + info->notify_self_exec_id) { + do_send_sig_info(info->notify.sigev_signo, + &sig_i, task, PIDTYPE_TGID); + } rcu_read_unlock(); - - kill_pid_info(info->notify.sigev_signo, - &sig_i, info->notify_owner); break; + } case SIGEV_THREAD: set_cookie(info->notify_cookie, NOTIFY_WOKENUP); netlink_sendskb(info->notify_sock, info->notify_cookie); @@ -1384,6 +1401,7 @@ retry: info->notify.sigev_signo = notification->sigev_signo; info->notify.sigev_value = notification->sigev_value; info->notify.sigev_notify = SIGEV_SIGNAL; + info->notify_self_exec_id = current->self_exec_id; break; }