[PATCH 2/3] linux-user: Validate tkill/tgkill targets are guest threads

[Ali Raza <elirazamumtaz@gmail.com>]

The tkill and tgkill syscall handlers pass the guest-supplied TID
directly to the host kernel without checking whether it belongs to a
guest thread.  This allows a guest to send signals to QEMU-internal
host threads (RCU, TCG workers) that have no CPUState and no guest
signal handlers, which can cause hangs or disrupt QEMU operation.

Add validation that checks the target TID against the guest CPU list
before forwarding the signal to the host.  For tgkill, also verify
that the tgid matches the current process.  Return -ESRCH for TIDs
that do not correspond to any guest thread, matching the behavior a
real kernel would return for a nonexistent thread.

This complements the /proc/*/task/ filtering in the previous commit
to provide defense-in-depth: even if a guest discovers or guesses a
QEMU-internal thread TID, it cannot send signals to it.

Signed-off-by: Ali Raza (@locus-x64)
---
 linux-user/syscall.c | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index b5a912dc22..a075b9a90b 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -13449,11 +13449,41 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
 #endif
 
     case TARGET_NR_tkill:
-        return get_errno(safe_tkill((int)arg1, target_to_host_signal(arg2)));
+    {
+        int tid = (int)arg1;
+        /*
+         * Reject signals to host threads that are not guest threads.
+         * QEMU-internal threads (RCU, TCG) share the host PID but have
+         * no CPUState and cannot handle guest-originated signals.
+         */
+        WITH_RCU_READ_LOCK_GUARD() {
+            if (!is_guest_tid(tid)) {
+                return -TARGET_ESRCH;
+            }
+        }
+        return get_errno(safe_tkill(tid, target_to_host_signal(arg2)));
+    }
 
     case TARGET_NR_tgkill:
-        return get_errno(safe_tgkill((int)arg1, (int)arg2,
+    {
+        int tgid = (int)arg1;
+        int tid = (int)arg2;
+        /*
+         * Validate that the target TID is a guest thread.  Also verify
+         * that the tgid matches our process, since all guest threads
+         * share the same host tgid.
+         */
+        if (tgid != getpid()) {
+            return -TARGET_ESRCH;
+        }
+        WITH_RCU_READ_LOCK_GUARD() {
+            if (!is_guest_tid(tid)) {
+                return -TARGET_ESRCH;
+            }
+        }
+        return get_errno(safe_tgkill(tgid, tid,
                          target_to_host_signal(arg3)));
+    }
 
 #ifdef TARGET_NR_set_robust_list
     case TARGET_NR_set_robust_list:

-- 
2.43.0