releases/2.6.34.9/Relax-si_code-check-in-rt_sigqueueinfo-and-rt_tgsigq.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-2.6.34 - Git at Google

 From ada70d197ba55f155f5712fee75592ea960ce76f Mon Sep 17 00:00:00 2001
 From: Roland Dreier <roland@purestorage.com>
 Date: Mon, 28 Mar 2011 14:13:35 -0700
 Subject: [PATCH] Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo

 commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream.

 Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo
 from spoofing the signal code") made the check on si_code too strict.
 There are several legitimate places where glibc wants to queue a
 negative si_code different from SI_QUEUE:

  - This was first noticed with glibc's aio implementation, which wants
    to queue a signal with si_code SI_ASYNCIO; the current kernel
    causes glibc's tst-aio4 test to fail because rt_sigqueueinfo()
    fails with EPERM.

  - Further examination of the glibc source shows that getaddrinfo_a()
    wants to use SI_ASYNCNL (which the kernel does not even define).
    The timer_create() fallback code wants to queue signals with SI_TIMER.

 As suggested by Oleg Nesterov <oleg@redhat.com>, loosen the check to
 forbid only the problematic SI_TKILL case.

 Reported-by: Klaus Dittrich <kladit@arcor.de>
 Acked-by: Julien Tinnes <jln@google.com>
 Signed-off-by: Roland Dreier <roland@purestorage.com>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/kernel/signal.c b/kernel/signal.c
 index 704c030..137a333 100644
 --- a/kernel/signal.c
 +++ b/kernel/signal.c
 @@ -2411,7 +2411,7 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
  	/* Not even root can pretend to send signals from the kernel.
  	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
  	 */
 -	if (info.si_code != SI_QUEUE) {
 +	if (info.si_code >= 0 || info.si_code == SI_TKILL) {
  		/* We used to allow any < 0 si_code */
  		WARN_ON_ONCE(info.si_code < 0);
  		return -EPERM;
 @@ -2431,7 +2431,7 @@ long do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info)
  	/* Not even root can pretend to send signals from the kernel.
  	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
  	 */
 -	if (info->si_code != SI_QUEUE) {
 +	if (info->si_code >= 0 || info->si_code == SI_TKILL) {
  		/* We used to allow any < 0 si_code */
  		WARN_ON_ONCE(info->si_code < 0);
  		return -EPERM;
 --
 1.7.4.4
	From ada70d197ba55f155f5712fee75592ea960ce76f Mon Sep 17 00:00:00 2001
	From: Roland Dreier <roland@purestorage.com>
	Date: Mon, 28 Mar 2011 14:13:35 -0700
	Subject: [PATCH] Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo

	commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream.

	Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo
	from spoofing the signal code") made the check on si_code too strict.
	There are several legitimate places where glibc wants to queue a
	negative si_code different from SI_QUEUE:

	- This was first noticed with glibc's aio implementation, which wants
	to queue a signal with si_code SI_ASYNCIO; the current kernel
	causes glibc's tst-aio4 test to fail because rt_sigqueueinfo()
	fails with EPERM.

	- Further examination of the glibc source shows that getaddrinfo_a()
	wants to use SI_ASYNCNL (which the kernel does not even define).
	The timer_create() fallback code wants to queue signals with SI_TIMER.

	As suggested by Oleg Nesterov <oleg@redhat.com>, loosen the check to
	forbid only the problematic SI_TKILL case.

	Reported-by: Klaus Dittrich <kladit@arcor.de>
	Acked-by: Julien Tinnes <jln@google.com>
	Signed-off-by: Roland Dreier <roland@purestorage.com>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/kernel/signal.c b/kernel/signal.c
	index 704c030..137a333 100644
	--- a/kernel/signal.c
	+++ b/kernel/signal.c
	@@ -2411,7 +2411,7 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
	/* Not even root can pretend to send signals from the kernel.
	* Nor can they impersonate a kill()/tgkill(), which adds source info.
	*/
	- if (info.si_code != SI_QUEUE) {
	+ if (info.si_code >= 0 \|\| info.si_code == SI_TKILL) {
	/* We used to allow any < 0 si_code */
	WARN_ON_ONCE(info.si_code < 0);
	return -EPERM;
	@@ -2431,7 +2431,7 @@ long do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info)
	/* Not even root can pretend to send signals from the kernel.
	* Nor can they impersonate a kill()/tgkill(), which adds source info.
	*/
	- if (info->si_code != SI_QUEUE) {
	+ if (info->si_code >= 0 \|\| info->si_code == SI_TKILL) {
	/* We used to allow any < 0 si_code */
	WARN_ON_ONCE(info->si_code < 0);
	return -EPERM;
	--
	1.7.4.4