| From ada70d197ba55f155f5712fee75592ea960ce76f Mon Sep 17 00:00:00 2001 |
| From: Roland Dreier <roland@purestorage.com> |
| Date: Mon, 28 Mar 2011 14:13:35 -0700 |
| Subject: [PATCH] Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo |
| |
| commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream. |
| |
| Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo |
| from spoofing the signal code") made the check on si_code too strict. |
| There are several legitimate places where glibc wants to queue a |
| negative si_code different from SI_QUEUE: |
| |
| - This was first noticed with glibc's aio implementation, which wants |
| to queue a signal with si_code SI_ASYNCIO; the current kernel |
| causes glibc's tst-aio4 test to fail because rt_sigqueueinfo() |
| fails with EPERM. |
| |
| - Further examination of the glibc source shows that getaddrinfo_a() |
| wants to use SI_ASYNCNL (which the kernel does not even define). |
| The timer_create() fallback code wants to queue signals with SI_TIMER. |
| |
| As suggested by Oleg Nesterov <oleg@redhat.com>, loosen the check to |
| forbid only the problematic SI_TKILL case. |
| |
| Reported-by: Klaus Dittrich <kladit@arcor.de> |
| Acked-by: Julien Tinnes <jln@google.com> |
| Signed-off-by: Roland Dreier <roland@purestorage.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/kernel/signal.c b/kernel/signal.c |
| index 704c030..137a333 100644 |
| --- a/kernel/signal.c |
| +++ b/kernel/signal.c |
| @@ -2411,7 +2411,7 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig, |
| /* Not even root can pretend to send signals from the kernel. |
| * Nor can they impersonate a kill()/tgkill(), which adds source info. |
| */ |
| - if (info.si_code != SI_QUEUE) { |
| + if (info.si_code >= 0 || info.si_code == SI_TKILL) { |
| /* We used to allow any < 0 si_code */ |
| WARN_ON_ONCE(info.si_code < 0); |
| return -EPERM; |
| @@ -2431,7 +2431,7 @@ long do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info) |
| /* Not even root can pretend to send signals from the kernel. |
| * Nor can they impersonate a kill()/tgkill(), which adds source info. |
| */ |
| - if (info->si_code != SI_QUEUE) { |
| + if (info->si_code >= 0 || info->si_code == SI_TKILL) { |
| /* We used to allow any < 0 si_code */ |
| WARN_ON_ONCE(info->si_code < 0); |
| return -EPERM; |
| -- |
| 1.7.4.4 |
| |