From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51A892E8B81 for ; Fri, 19 Jun 2026 13:28:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781875701; cv=none; b=CNxMhmzCPSgy+BJ9/iaEmgWHEQw+fQCqzqjVV06ToeH1A5MftDRkYM3JNHqoijLlfnRsUQn4UK9yRsQYgIasxwZ98prcXr7FrWj5TEySWRl2aw36BqBxdKjJhI5gdR82eSMq0G7a0Qwhjb8cozLrYFd+sb8MmunGxxYhQ3m7nHM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781875701; c=relaxed/simple; bh=zQhlkheWNnQllBLeaffLLdM1H+WPuBHLBQCZpdgNzno=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=m/iMG4zc/TbdY9NHC1fpNGKNbLKCBLhPMpIdt8xSpP8jmKwfvxdTcbqRZ9dTNv4HH/FX1oshzVWkp4LyXAZnLJeDyDJvPLWfsL9sx5HQwm/1yr3M/6UH0dbymOVVbe2yFPOWWbtomPxtd00EvMOsuLfvPc+v0D0obKJvdhe7fLg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=FcmyFeQ6; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="FcmyFeQ6" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1781875699; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=iKC0zkIfKTJ2u+032xzgkmGg4nNqyDPGSYLq5fPbb3k=; b=FcmyFeQ6eVHppPCw4guEzAIigXcBzyT/5NMBhlVDAKcvnTvnGo3Qzd22nzfsDFlanM0Bq0 THtVQqiFLDCynNUwfbXGFSgqecfh3GIAP1ajL+hFJbFpugNfoAlCx11yxSyuR01tDFVa4V PrZn3AMaI+v1bRHr6Y7VIHxAUl4xijU= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-537-kpcNbY5JOJqENUqj0ey4aQ-1; Fri, 19 Jun 2026 09:28:16 -0400 X-MC-Unique: kpcNbY5JOJqENUqj0ey4aQ-1 X-Mimecast-MFC-AGG-ID: kpcNbY5JOJqENUqj0ey4aQ_1781875694 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 529C91955F7D; Fri, 19 Jun 2026 13:28:14 +0000 (UTC) Received: from fedora (unknown [10.44.34.12]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP id 09851195608E; Fri, 19 Jun 2026 13:28:10 +0000 (UTC) Received: by fedora (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Fri, 19 Jun 2026 15:28:13 +0200 (CEST) Date: Fri, 19 Jun 2026 15:28:09 +0200 From: Oleg Nesterov To: Andrew Morton Cc: Andy Lutomirski , "Eric W. Biederman" , Kees Cook , Kusaram Devineni , Peter Zijlstra , Thomas Gleixner , Will Drewry , linux-kernel@vger.kernel.org Subject: [PATCH v2 3/3] signal: fix evasion of SA_IMMUTABLE signals Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 force_sig_info_to_task(HANDLER_EXIT) sets SA_IMMUTABLE to ensure a forced fatal signal cannot be ignored or caught by userspace; it must always terminate the target. However, if get_signal() dequeues another synchronous signal first, and that signal has a handler and its sa_mask includes the fatal SA_IMMUTABLE signal, the task can return to userspace and survive. So dequeue_synchronous_signal() must always dequeue an SA_IMMUTABLE signal first. But it relies on the SI_FROMKERNEL() check and picks the first one it sees in pending->list, and thus we have the following problems: - If the same signal was already pending and blocked, the new siginfo with .si_code > 0 will be lost. Change __send_signal_locked() to bypass the legacy_queue() check in this case. - If force_sig_info_to_task() races with another synchronous/SI_FROMKERNEL signal, that signal can be picked first. Change __send_signal_locked() to add an SA_IMMUTABLE signal at the start of pending->list. - SA_IMMUTABLE implies override_rlimit == true, but GFP_ATOMIC can fail anyway. Change __send_signal_locked() to escalate to SIGKILL in this (very unlikely) case. Not perfect and perhaps deserves WARN() or pr_warn_ratelimited(), but better than nothing. However, unlike get_signal(), __send_signal_locked() can not rely on the k_sigaction.sa.sa_flags & SA_IMMUTABLE check; another signal with the same .si_signo can come before dequeue_synchronous_signal() dequeues the signal sent by force(HANDLER_EXIT). Say, send_sig_perf() from task_work_run(), and this signal is SI_FROMKERNEL() too. Use the new SEND_SIGNAL_IMMUTABLE flag to pass the "immutable" state from force_sig_info_to_task() to __send_signal_locked(). Signed-off-by: Oleg Nesterov --- kernel/signal.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/kernel/signal.c b/kernel/signal.c index 9c607a598ba1..077effd21582 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -1038,10 +1038,12 @@ static inline bool legacy_queue(struct sigpending *signals, int sig) } #define SEND_SIGNAL_FORCE (1 << 0) +#define SEND_SIGNAL_IMMUTABLE (1 << 1) static int __send_signal_locked(int sig, struct kernel_siginfo *info, struct task_struct *t, enum pid_type type, int flags) { + bool immutable = flags & SEND_SIGNAL_IMMUTABLE; struct sigpending *pending; struct sigqueue *q; int override_rlimit; @@ -1055,12 +1057,12 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info, pending = (type != PIDTYPE_PID) ? &t->signal->shared_pending : &t->pending; /* - * Short-circuit ignored signals and support queuing - * exactly one non-rt signal, so that we can get more - * detailed information about the cause of the signal. + * Queue exactly one non-rt signal so that we can get more + * detailed information about the cause. But we must never + * lose the siginfo for an SA_IMMUTABLE signal. */ result = TRACE_SIGNAL_ALREADY_PENDING; - if (legacy_queue(pending, sig)) + if (legacy_queue(pending, sig) && !immutable) goto ret; result = TRACE_SIGNAL_DELIVERED; @@ -1087,7 +1089,12 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info, q = sigqueue_alloc(sig, t, GFP_ATOMIC, override_rlimit); if (q) { - list_add_tail(&q->list, &pending->list); + /* Ensure dequeue_synchronous_signal() sees SA_IMMUTABLE first */ + if (immutable) + list_add(&q->list, &pending->list); + else + list_add_tail(&q->list, &pending->list); + switch ((unsigned long) info) { case (unsigned long) SEND_SIG_NOINFO: clear_siginfo(&q->info); @@ -1130,6 +1137,9 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info, * send the signal, but the *info bits are lost. */ result = TRACE_SIGNAL_LOSE_INFO; + /* The task must not escape SA_IMMUTABLE; escalate to SIGKILL */ + if (immutable) + sig = SIGKILL; } out_set: @@ -1307,8 +1317,10 @@ force_sig_info_to_task(struct kernel_siginfo *info, struct task_struct *t, blocked = sigismember(&t->blocked, sig); if (blocked || ignored || (handler != HANDLER_CURRENT)) { action->sa.sa_handler = SIG_DFL; - if (handler == HANDLER_EXIT) + if (handler == HANDLER_EXIT) { action->sa.sa_flags |= SA_IMMUTABLE; + send_flags |= SEND_SIGNAL_IMMUTABLE; + } if (blocked) sigdelset(&t->blocked, sig); } -- 2.52.0