On 10/12, Amanieu d'Antras wrote: > > rt_sigqueueinfo and rt_tgsigqueueinfo check the value of si_code to > prevent a process from spoofing a kernel-generated signal or one > generated by kill/tgkill. > > Unfortunately this check failed to take into account the fact that > the si_code value seen by a user process is only the low 16 bits of > the value in the kernel. It was still possible to spoof any si_code > by ORing 0xffff into the top 16 bits.
Confused... > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -2989,7 +2989,7 @@ static int do_rt_sigqueueinfo(pid_t pid, int sig, > siginfo_t *info) > /* Not even root can pretend to send signals from the kernel. > * Nor can they impersonate a kill()/tgkill(), which adds source info. > */ > - if ((info->si_code >= 0 || info->si_code == SI_TKILL) && > + if (((short)info->si_code >= 0 || (short)info->si_code == SI_TKILL) && > (task_pid_vnr(current) != pid)) > return -EPERM; > > @@ -3037,7 +3037,7 @@ static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, > int sig, siginfo_t *info) > /* Not even root can pretend to send signals from the kernel. > * Nor can they impersonate a kill()/tgkill(), which adds source info. > */ > - if ((info->si_code >= 0 || info->si_code == SI_TKILL) && > + if (((short)info->si_code >= 0 || (short)info->si_code == SI_TKILL) && > (task_pid_vnr(current) != pid)) > return -EPERM; Yes, copy_siginfo_to_user() does __put_user((short)from->si_code). But SI_FROMUSER/SI_FROMKERNEL are internal kernel checks, we mostly use them in copy_siginfo_to_user(). And note that if ->si_code < 0 we simply do __copy_to_user(), so userspace can't see something which looks like "from kernel", in this case we do not truncate ->si_code. So I do not think this patch is right. Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
