Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2227781pxb; Sun, 31 Oct 2021 10:41:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwsCzMXLPpnuL1b6kq1PtfQ0InuHoV5yMVLX/2CkVDHsP0jmFf4cfY+4Q9m5fz5+FXfSzGt X-Received: by 2002:a05:6602:717:: with SMTP id f23mr14802079iox.174.1635702111550; Sun, 31 Oct 2021 10:41:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635702111; cv=none; d=google.com; s=arc-20160816; b=ouXyTneh0KJBCb2e7j3eOP3NNPvo2bh4bWgj1jM9orRc18z/9moaL0ZPnNpKdY+A4+ ti8tD/jDxbihaN/UzLaNLIjKKaE4hbVNjOmdQEqzoZqFBDpQzF1cESaha5hUEoeIxOC6 Fe/pHMaA6afgqTtHtWUoyybqNHkjYuZ39G3l9rSDNgQUFMv/+5iH8YxYmFKHTmO/9HHL JIMckTLRZu/C/q8cAPDrwPAwiWIwmvEXhbxXx0UNy6FobemrK6+wtgEArHK8snOrYd0m hR+wmXWaMHS3YFHjcGivjWHIMuETYONDYK+IKwM7wNX+t1wWs+FD63mgvpfvQDyf/LDJ SiWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=CRAiFS1cKz+cJsqMGNZZJACSB/KL6YFLVva91SNe05Y=; b=ieLgWPEM63cH1DyVQgukDLpEc/hN9vOPbJP9LxKyC9BXPaeUqQWHPzX0JZxyC1olpK nOcnEY2LUYLn9D2wZIcUiZSb7k/gt1CCzAOKWxRhTap26NjKtC+8h9j02HSLbboT5xo+ tfwAZqpvAcIs3qUM9HwNGb2EN5QeD223QHKt0wI2AuHvayHcGFVfGlVI+OXSXH+bYieW xEaA32VOPP7xD5yJer+pDvXmpIEOHJN5RSYIrvW6/0ILQPiK/hN5XKN3kavZxaMOkK19 Pa96vh32CHXfr9EqpgWa9XqOU1MQ2NLljASb5B1do7ZbwV+Egs/iDVsMB2TGsuPlMny6 /eCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=v4pXO7t4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u15si254464ilq.13.2021.10.31.10.41.40; Sun, 31 Oct 2021 10:41:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=v4pXO7t4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230480AbhJaRnM (ORCPT + 99 others); Sun, 31 Oct 2021 13:43:12 -0400 Received: from smtp-relay-internal-1.canonical.com ([185.125.188.123]:33058 "EHLO smtp-relay-internal-1.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230188AbhJaRnB (ORCPT ); Sun, 31 Oct 2021 13:43:01 -0400 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CAE263F17B for ; Sun, 31 Oct 2021 17:40:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1635702021; bh=CRAiFS1cKz+cJsqMGNZZJACSB/KL6YFLVva91SNe05Y=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=v4pXO7t4Jmet2uBFpNpcZxF8Kf+vJo+XydC/oW8wz/g90s1k76Aa5VDpV3weKDp+r khcKkMIuvmVuP2TiXipv7qNZRFwEoIC8imIMPAu4RYB8naCfjq/G0odaHxiOb8GeVr 18Ufqd4BFVZCYC7wZdD9KLjQ8ZJmz4IXdsx15lU6cbqzxLafFs/L57vM49M/+UNZOW 7VLUZKDa9abbNLGftZYPTmTVYaxvGoKpkB8Wh3pZO409ybldyUs7L4SUgtVhO/0/VE QOv4FHfijjdLFbUdGB1b+JZXpuBbnNrjqOlmVbxvG/yjRRDBz4rzXvMXJtFH3sAHCa RyK2Ud+5i2XcQ== Received: by mail-ed1-f71.google.com with SMTP id y12-20020a056402270c00b003e28de6e995so80865edd.11 for ; Sun, 31 Oct 2021 10:40:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=CRAiFS1cKz+cJsqMGNZZJACSB/KL6YFLVva91SNe05Y=; b=sg4+jLPQ2FdcE/TJCvquZO9CB3WYtKgM2gcdzrGUOyAT4ZHQWS1jLU/sJTYqZwxrzy t6n5mNG/2lSz7tef5y3YRo5V8mxW8kFtTjaVIcejgxiXmnlZUJWgvgP9I8LimZ+GjOFy L9wcgG8Nj/3fLFTA14kcAH+pbh/fRLR8o8a/cjDtW1IDHT/9wQEExIj/rHQ/wJSN/uue Ci6qBHXv5i81mIAyVQW4pEjTq+9EvfzmllrHw37/viBcGRXFToB6jkui455LE49xWLnQ r4fvZG1H6gws3NW2weMOA7V03xouj877K0I30hujiLI5GDiR6x0vPvPQDCD9bie4ZSf/ uawg== X-Gm-Message-State: AOAM531Y8BRBOk7iWXktiw0rxMVu6mIBupIQr2Md4hiLggE/gRrJ669j 0cu2UuN/Y7dzoyDNYZqaAYpiGtBnBUa4Cud2gAVtnh0awaWRn+9o+TQG1eyfQK4zDuUWJVswVaP mQPeNgN2zARhNXqcJfjbNkRm8Qfi9rVB88cetMwIx7w== X-Received: by 2002:a05:6402:3512:: with SMTP id b18mr33560113edd.15.1635702021473; Sun, 31 Oct 2021 10:40:21 -0700 (PDT) X-Received: by 2002:a05:6402:3512:: with SMTP id b18mr33560092edd.15.1635702021288; Sun, 31 Oct 2021 10:40:21 -0700 (PDT) Received: from localhost ([2001:67c:1560:8007::aac:c1b6]) by smtp.gmail.com with ESMTPSA id t25sm1766673edv.31.2021.10.31.10.40.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 31 Oct 2021 10:40:20 -0700 (PDT) Date: Sun, 31 Oct 2021 18:40:19 +0100 From: Andrea Righi To: "Eric W. Biederman" Cc: Kees Cook , Shuah Khan , Alexei Starovoitov , Andy Lutomirski , Will Drewry , linux-kselftest@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed Message-ID: References: <202110280955.B18CB67@keescook> <878rydm56l.fsf@disp2133> <202110281136.5CE65399A7@keescook> <87k0hvkgvj.fsf_-_@disp2133> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87k0hvkgvj.fsf_-_@disp2133> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 29, 2021 at 10:09:04AM -0500, Eric W. Biederman wrote: > > As Andy pointed out that there are races between > force_sig_info_to_task and sigaction[1] when force_sig_info_task. As > Kees discovered[2] ptrace is also able to change these signals. > > In the case of seeccomp killing a process with a signal it is a > security violation to allow the signal to be caught or manipulated. > > Solve this problem by introducing a new flag SA_IMMUTABLE that > prevents sigaction and ptrace from modifying these forced signals. > This flag is carefully made kernel internal so that no new ABI is > introduced. > > Longer term I think this can be solved by guaranteeing short circuit > delivery of signals in this case. Unfortunately reliable and > guaranteed short circuit delivery of these signals is still a ways off > from being implemented, tested, and merged. So I have implemented a much > simpler alternative for now. > > [1] https://lkml.kernel.org/r/b5d52d25-7bde-4030-a7b1-7c6f8ab90660@www.fastmail.com > [2] https://lkml.kernel.org/r/202110281136.5CE65399A7@keescook > Cc: stable@vger.kernel.org > Fixes: 307d522f5eb8 ("signal/seccomp: Refactor seccomp signal and coredump generation") > Signed-off-by: "Eric W. Biederman" > --- FWIW I've tested this patch and I confirm that it fixes the failure that I reported with the seccomp_bpf selftest. Tested-by: Andrea Righi Thanks! -Andrea > > I have tested this patch and this changed works for me to fix the issue. > > I believe this closes all of the races that force_sig_info_to_task > has when sigdfl is specified. So this should be enough for anything > that needs a guaranteed that userspace can not race with the kernel > is handled. > > Can folks look this over and see if I missed something? > Thank you, > Eric > > > include/linux/signal_types.h | 3 +++ > include/uapi/asm-generic/signal-defs.h | 1 + > kernel/signal.c | 8 +++++++- > 3 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/include/linux/signal_types.h b/include/linux/signal_types.h > index 34cb28b8f16c..927f7c0e5bff 100644 > --- a/include/linux/signal_types.h > +++ b/include/linux/signal_types.h > @@ -70,6 +70,9 @@ struct ksignal { > int sig; > }; > > +/* Used to kill the race between sigaction and forced signals */ > +#define SA_IMMUTABLE 0x008000000 > + > #ifndef __ARCH_UAPI_SA_FLAGS > #ifdef SA_RESTORER > #define __ARCH_UAPI_SA_FLAGS SA_RESTORER > diff --git a/include/uapi/asm-generic/signal-defs.h b/include/uapi/asm-generic/signal-defs.h > index fe929e7b77ca..7572f2f46ee8 100644 > --- a/include/uapi/asm-generic/signal-defs.h > +++ b/include/uapi/asm-generic/signal-defs.h > @@ -45,6 +45,7 @@ > #define SA_UNSUPPORTED 0x00000400 > #define SA_EXPOSE_TAGBITS 0x00000800 > /* 0x00010000 used on mips */ > +/* 0x00800000 used for internal SA_IMMUTABLE */ > /* 0x01000000 used on x86 */ > /* 0x02000000 used on x86 */ > /* > diff --git a/kernel/signal.c b/kernel/signal.c > index 6a5e1802b9a2..056a107e3cbc 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -1336,6 +1336,7 @@ force_sig_info_to_task(struct kernel_siginfo *info, struct task_struct *t, bool > blocked = sigismember(&t->blocked, sig); > if (blocked || ignored || sigdfl) { > action->sa.sa_handler = SIG_DFL; > + action->sa.sa_flags |= SA_IMMUTABLE; > if (blocked) { > sigdelset(&t->blocked, sig); > recalc_sigpending_and_wake(t); > @@ -2760,7 +2761,8 @@ bool get_signal(struct ksignal *ksig) > if (!signr) > break; /* will return 0 */ > > - if (unlikely(current->ptrace) && signr != SIGKILL) { > + if (unlikely(current->ptrace) && (signr != SIGKILL) && > + !(sighand->action[signr -1].sa.sa_flags & SA_IMMUTABLE)) { > signr = ptrace_signal(signr, &ksig->info); > if (!signr) > continue; > @@ -4110,6 +4112,10 @@ int do_sigaction(int sig, struct k_sigaction *act, struct k_sigaction *oact) > k = &p->sighand->action[sig-1]; > > spin_lock_irq(&p->sighand->siglock); > + if (k->sa.sa_flags & SA_IMMUTABLE) { > + spin_unlock_irq(&p->sighand->siglock); > + return -EINVAL; > + } > if (oact) > *oact = *k; > > -- > 2.20.1