From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Jan Kiszka <jan.kiszka@siemens.com>
Subject: [ 43/54] compat: Fix RT signal mask corruption via sigprocmask
Date: Fri, 18 May 2012 14:16:42 -0700 [thread overview]
Message-ID: <20120518211603.400350443@linuxfoundation.org> (raw)
In-Reply-To: <20120518212656.GA4992@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kiszka <jan.kiszka@siemens.com>
commit b7dafa0ef3145c31d7753be0a08b3cbda51f0209 upstream.
compat_sys_sigprocmask reads a smaller signal mask from userspace than
sigprogmask accepts for setting. So the high word of blocked.sig[0]
will be cleared, releasing any potentially blocked RT signal.
This was discovered via userspace code that relies on get/setcontext.
glibc's i386 versions of those functions use sigprogmask instead of
rt_sigprogmask to save/restore signal mask and caused RT signal
unblocking this way.
As suggested by Linus, this replaces the sys_sigprocmask based compat
version with one that open-codes the required logic, including the merge
of the existing blocked set with the new one provided on SIG_SETMASK.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/compat.c | 65 ++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 47 insertions(+), 18 deletions(-)
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -318,25 +318,54 @@ asmlinkage long compat_sys_sigpending(co
#ifdef __ARCH_WANT_SYS_SIGPROCMASK
-asmlinkage long compat_sys_sigprocmask(int how, compat_old_sigset_t __user *set,
- compat_old_sigset_t __user *oset)
+/*
+ * sys_sigprocmask SIG_SETMASK sets the first (compat) word of the
+ * blocked set of signals to the supplied signal set
+ */
+static inline void compat_sig_setmask(sigset_t *blocked, compat_sigset_word set)
{
- old_sigset_t s;
- long ret;
- mm_segment_t old_fs;
-
- if (set && get_user(s, set))
- return -EFAULT;
- old_fs = get_fs();
- set_fs(KERNEL_DS);
- ret = sys_sigprocmask(how,
- set ? (old_sigset_t __user *) &s : NULL,
- oset ? (old_sigset_t __user *) &s : NULL);
- set_fs(old_fs);
- if (ret == 0)
- if (oset)
- ret = put_user(s, oset);
- return ret;
+ memcpy(blocked->sig, &set, sizeof(set));
+}
+
+asmlinkage long compat_sys_sigprocmask(int how,
+ compat_old_sigset_t __user *nset,
+ compat_old_sigset_t __user *oset)
+{
+ old_sigset_t old_set, new_set;
+ sigset_t new_blocked;
+
+ old_set = current->blocked.sig[0];
+
+ if (nset) {
+ if (get_user(new_set, nset))
+ return -EFAULT;
+ new_set &= ~(sigmask(SIGKILL) | sigmask(SIGSTOP));
+
+ new_blocked = current->blocked;
+
+ switch (how) {
+ case SIG_BLOCK:
+ sigaddsetmask(&new_blocked, new_set);
+ break;
+ case SIG_UNBLOCK:
+ sigdelsetmask(&new_blocked, new_set);
+ break;
+ case SIG_SETMASK:
+ compat_sig_setmask(&new_blocked, new_set);
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ set_current_blocked(&new_blocked);
+ }
+
+ if (oset) {
+ if (put_user(old_set, oset))
+ return -EFAULT;
+ }
+
+ return 0;
}
#endif
next prev parent reply other threads:[~2012-05-18 23:24 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-18 21:26 [ 00/54] 3.0.32-stable review Greg KH
2012-05-18 21:16 ` [ 01/54] smsc95xx: mark link down on startup and let PHY interrupt deal with carrier changes Greg KH
2012-05-18 21:16 ` [ 02/54] xen/pte: Fix crashes when trying to see non-existent PGD/PMD/PUD/PTEs Greg KH
2012-05-18 21:16 ` [ 03/54] xen/pci: dont use PCI BIOS service for configuration space accesses Greg KH
2012-05-18 21:16 ` [ 04/54] percpu, x86: dont use PMD_SIZE as embedded atom_size on 32bit Greg KH
2012-05-18 21:16 ` [ 05/54] asm-generic: Use __BITS_PER_LONG in statfs.h Greg KH
2012-05-18 21:16 ` [ 06/54] Fix __read_seqcount_begin() to use ACCESS_ONCE for sequence value read Greg KH
2012-05-18 21:16 ` [ 07/54] ARM: 7410/1: Add extra clobber registers for assembly in kernel_execve Greg KH
2012-05-18 21:16 ` [ 08/54] ARM: 7414/1: SMP: prevent use of the console when using idmap_pgd Greg KH
2012-05-18 21:16 ` [ 09/54] regulator: Fix the logic to ensure new voltage setting in valid range Greg KH
2012-05-18 21:16 ` [ 10/54] ARM: orion5x: Fix GPIO enable bits for MPP9 Greg KH
2012-05-18 21:16 ` [ 11/54] asix: Fix tx transfer padding for full-speed USB Greg KH
2012-05-18 21:16 ` [ 12/54] netem: fix possible skb leak Greg KH
2012-05-18 21:16 ` [ 13/54] net: In unregister_netdevice_notifier unregister the netdevices Greg KH
2012-05-21 17:35 ` Herton Ronaldo Krzesinski
2012-05-27 0:13 ` Greg KH
2012-05-27 0:18 ` David Miller
2012-05-27 0:22 ` Greg KH
2012-05-18 21:16 ` [ 14/54] net: l2tp: unlock socket lock before returning from l2tp_ip_sendmsg Greg KH
2012-05-18 21:16 ` [ 15/54] sky2: propogate rx hash when packet is copied Greg KH
2012-05-18 21:16 ` [ 16/54] sky2: fix receive length error in mixed non-VLAN/VLAN traffic Greg KH
2012-05-18 21:16 ` [ 17/54] tg3: Avoid panic from reserved statblk field access Greg KH
2012-05-18 21:16 ` [ 18/54] sungem: Fix WakeOnLan Greg KH
2012-05-18 21:16 ` [ 19/54] tcp: change tcp_adv_win_scale and tcp_rmem[2] Greg KH
2012-05-18 21:16 ` [ 20/54] sony-laptop: Enable keyboard backlight by default Greg KH
2012-05-18 21:16 ` [ 21/54] ALSA: echoaudio: Remove incorrect part of assertion Greg KH
2012-05-18 21:16 ` [ 22/54] ALSA: HDA: Lessen CPU usage when waiting for chip to respond Greg KH
2012-05-18 21:16 ` [ 23/54] usbnet: fix skb traversing races during unlink(v2) Greg KH
2012-05-18 21:16 ` [ 24/54] namespaces, pid_ns: fix leakage on fork() failure Greg KH
2012-05-18 21:16 ` [ 25/54] sparc64: Do not clobber %g2 in xcall_fetch_glob_regs() Greg KH
2012-05-18 21:16 ` [ 26/54] ARM: prevent VM_GROWSDOWN mmaps extending below FIRST_USER_ADDRESS Greg KH
2012-05-18 21:16 ` [ 27/54] media: rc: Postpone ISR registration Greg KH
2012-05-18 21:16 ` [ 28/54] cdc_ether: Ignore bogus union descriptor for RNDIS devices Greg KH
2012-05-18 21:16 ` [ 29/54] cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN Greg KH
2012-05-18 21:16 ` [ 30/54] percpu: pcpu_embed_first_chunk() should free unused parts after all allocs are complete Greg KH
2012-05-18 21:16 ` [ 31/54] kmemleak: Fix the kmemleak tracking of the percpu areas with !SMP Greg KH
2012-05-19 13:27 ` Christoph Biedl
2012-05-19 14:46 ` Greg KH
2012-05-19 15:45 ` Christoph Biedl
2012-05-19 21:45 ` Catalin Marinas
2012-05-18 21:16 ` [ 32/54] hugetlb: prevent BUG_ON in hugetlb_fault() -> hugetlb_cow() Greg KH
2012-05-18 21:16 ` [ 33/54] mm: nobootmem: fix sign extend problem in __free_pages_memory() Greg KH
2012-05-18 21:16 ` [ 34/54] jffs2: Fix lock acquisition order bug in gc path Greg KH
2012-05-18 21:16 ` [ 35/54] arch/tile: apply commit 74fca9da0 to the compat signal handling as well Greg KH
2012-05-18 21:16 ` [ 36/54] crypto: mv_cesa requires on CRYPTO_HASH to build Greg KH
2012-05-18 21:16 ` [ 37/54] MD: Add del_timer_sync to mddev_suspend (fix nasty panic) Greg KH
2012-05-18 21:16 ` [ 38/54] tcp: do_tcp_sendpages() must try to push data out on oom conditions Greg KH
2012-05-18 21:16 ` [ 39/54] init: dont try mounting device as nfs root unless type fully matches Greg KH
2012-05-18 21:16 ` [ 40/54] ext4: avoid deadlock on sync-mounted FS w/o journal Greg KH
2012-05-18 21:16 ` [ 41/54] NFSv4: Revalidate uid/gid after open Greg KH
2012-05-18 21:16 ` [ 42/54] memcg: free spare array to avoid memory leak Greg KH
2012-05-18 21:16 ` Greg KH [this message]
2012-05-18 21:16 ` [ 44/54] ext3: Fix error handling on inode bitmap corruption Greg KH
2012-05-18 21:16 ` [ 45/54] ext4: fix " Greg KH
2012-05-18 21:16 ` [ 46/54] ACPI / PM: Add Sony Vaio VPCCW29FX to nonvs blacklist Greg KH
2012-05-18 21:16 ` [ 47/54] SCSI: hpsa: Add IRQF_SHARED back in for the non-MSI(X) interrupt handler Greg KH
2012-05-18 21:16 ` [ 48/54] wake up s_wait_unfrozen when ->freeze_fs fails Greg KH
2012-05-18 21:16 ` [ 49/54] pch_gpio: Support new device LAPIS Semiconductor ML7831 IOH Greg KH
2012-05-18 21:16 ` [ 50/54] pch_gbe: fixed the issue which receives an unnecessary packet Greg KH
2012-05-18 21:16 ` [ 51/54] pch_gbe: support ML7831 IOH Greg KH
2012-05-18 21:16 ` [ 52/54] pch_gbe: Fixed the issue on which PC was frozen when link was downed Greg KH
2012-05-18 21:16 ` [ 53/54] pch_gbe: Do not abort probe on bad MAC Greg KH
2012-05-18 21:16 ` [ 54/54] pch_gbe: memory corruption calling pch_gbe_validate_option() Greg KH
2012-05-19 1:01 ` [ 00/54] 3.0.32-stable review Steven Rostedt
2012-05-19 4:20 ` Greg KH
2012-05-20 2:01 ` [PATCH] pidmap: Use GFP_ATOMIC to allocate page (was: Re: [ 00/54] 3.0.32-stable review) Steven Rostedt
2012-05-20 2:32 ` David Rientjes
2012-05-20 19:03 ` Linus Torvalds
2012-05-20 23:22 ` David Rientjes
2012-05-20 23:35 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120518211603.400350443@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jan.kiszka@siemens.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.