* Re: + make-good_sigevent-non-static.patch added to -mm tree @ 2007-01-25 15:43 Oleg Nesterov 2007-01-26 9:32 ` Sébastien Dugué 0 siblings, 1 reply; 4+ messages in thread From: Oleg Nesterov @ 2007-01-25 15:43 UTC (permalink / raw) To: sebastien.dugue Cc: Zach Brown, Suparna Bhattacharya, Benjamin LaHaise, Ulrich Drepper, Ingo Molnar, Thomas Gleixner, Andrew Morton, linux-kernel SИbastien DuguИ wrote: > > +struct task_struct *good_sigevent(sigevent_t *event) > +{ > + struct task_struct *task = current->group_leader; > + > + if ((event->sigev_notify & SIGEV_THREAD_ID) == SIGEV_THREAD_ID) { > + task = find_task_by_pid(event->sigev_notify_thread_id); > + > + if (!task || task->tgid != current->tgid) > + return NULL; > + } else if (event->sigev_notify == SIGEV_SIGNAL) { No, no, we can't use "else" here, > + if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX) because we skip the check above in SIGEV_THREAD_ID case. This way any user can crash the kernel with a minimal effort. Oleg. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: + make-good_sigevent-non-static.patch added to -mm tree 2007-01-25 15:43 + make-good_sigevent-non-static.patch added to -mm tree Oleg Nesterov @ 2007-01-26 9:32 ` Sébastien Dugué 2007-01-26 10:08 ` Oleg Nesterov 0 siblings, 1 reply; 4+ messages in thread From: Sébastien Dugué @ 2007-01-26 9:32 UTC (permalink / raw) To: Oleg Nesterov Cc: Zach Brown, Suparna Bhattacharya, Benjamin LaHaise, Ulrich Drepper, Ingo Molnar, Thomas Gleixner, Andrew Morton, linux-kernel On Thu, 25 Jan 2007 18:43:24 +0300 Oleg Nesterov <oleg@tv-sign.ru> wrote: > SИbastien DuguИ wrote: > > > > +struct task_struct *good_sigevent(sigevent_t *event) > > +{ > > + struct task_struct *task = current->group_leader; > > + > > + if ((event->sigev_notify & SIGEV_THREAD_ID) == SIGEV_THREAD_ID) { > > + task = find_task_by_pid(event->sigev_notify_thread_id); > > + > > + if (!task || task->tgid != current->tgid) > > + return NULL; > > + } else if (event->sigev_notify == SIGEV_SIGNAL) { > > No, no, we can't use "else" here, > > > + if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX) > > because we skip the check above in SIGEV_THREAD_ID case. Right, will fix this. > > This way any user can crash the kernel with a minimal effort. Well I tried, no crash, just the signal failing to be delivered. Thanks, Sébastien. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: + make-good_sigevent-non-static.patch added to -mm tree 2007-01-26 9:32 ` Sébastien Dugué @ 2007-01-26 10:08 ` Oleg Nesterov 2007-01-26 10:39 ` Sébastien Dugué 0 siblings, 1 reply; 4+ messages in thread From: Oleg Nesterov @ 2007-01-26 10:08 UTC (permalink / raw) To: S?bastien Dugu? Cc: Zach Brown, Suparna Bhattacharya, Benjamin LaHaise, Ulrich Drepper, Ingo Molnar, Thomas Gleixner, Andrew Morton, linux-kernel On 01/26, S?bastien Dugu? wrote: > > On Thu, 25 Jan 2007 18:43:24 +0300 Oleg Nesterov <oleg@tv-sign.ru> wrote: > > > SИbastien DuguИ wrote: > > > > > > +struct task_struct *good_sigevent(sigevent_t *event) > > > +{ > > > + struct task_struct *task = current->group_leader; > > > + > > > + if ((event->sigev_notify & SIGEV_THREAD_ID) == SIGEV_THREAD_ID) { > > > + task = find_task_by_pid(event->sigev_notify_thread_id); > > > + > > > + if (!task || task->tgid != current->tgid) > > > + return NULL; > > > + } else if (event->sigev_notify == SIGEV_SIGNAL) { > > > > No, no, we can't use "else" here, > > > > > + if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX) > > > > because we skip the check above in SIGEV_THREAD_ID case. > > Right, will fix this. > > > > > This way any user can crash the kernel with a minimal effort. > > Well I tried, no crash, just the signal failing to be delivered. sigaddset: set->sig[sig / _NSIG_BPW] |= 1UL << (sig % _NSIG_BPW); This writes to ->sig[event->sigev_signo / _NSIG_BPW] location, so we can corrupt the memory if ->sigev_signo > _NSIG. Btw, since you are exporting this function, may I suggest to rename it? No, I can't suggest a better name :) But "good_sigevent" is a bit confusing imho. Oleg. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: + make-good_sigevent-non-static.patch added to -mm tree 2007-01-26 10:08 ` Oleg Nesterov @ 2007-01-26 10:39 ` Sébastien Dugué 0 siblings, 0 replies; 4+ messages in thread From: Sébastien Dugué @ 2007-01-26 10:39 UTC (permalink / raw) To: Oleg Nesterov Cc: Zach Brown, Suparna Bhattacharya, Benjamin LaHaise, Ulrich Drepper, Ingo Molnar, Thomas Gleixner, Andrew Morton, linux-kernel On Fri, 26 Jan 2007 13:08:01 +0300 Oleg Nesterov <oleg@tv-sign.ru> wrote: > On 01/26, S?bastien Dugu? wrote: > > > > On Thu, 25 Jan 2007 18:43:24 +0300 Oleg Nesterov <oleg@tv-sign.ru> wrote: > > > > > SИbastien DuguИ wrote: > > > > > > > > +struct task_struct *good_sigevent(sigevent_t *event) > > > > +{ > > > > + struct task_struct *task = current->group_leader; > > > > + > > > > + if ((event->sigev_notify & SIGEV_THREAD_ID) == SIGEV_THREAD_ID) { > > > > + task = find_task_by_pid(event->sigev_notify_thread_id); > > > > + > > > > + if (!task || task->tgid != current->tgid) > > > > + return NULL; > > > > + } else if (event->sigev_notify == SIGEV_SIGNAL) { > > > > > > No, no, we can't use "else" here, > > > > > > > + if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX) > > > > > > because we skip the check above in SIGEV_THREAD_ID case. > > > > Right, will fix this. > > > > > > > > This way any user can crash the kernel with a minimal effort. > > > > Well I tried, no crash, just the signal failing to be delivered. > > sigaddset: > > set->sig[sig / _NSIG_BPW] |= 1UL << (sig % _NSIG_BPW); > > This writes to ->sig[event->sigev_signo / _NSIG_BPW] location, so we can > corrupt the memory if ->sigev_signo > _NSIG. Gawd, right. > > Btw, since you are exporting this function, may I suggest to rename it? > No, I can't suggest a better name :) But "good_sigevent" is a bit confusing > imho. I agree, there was a discussion concerning this a while back but nothing came out of it and I left it as is. I will try to find something more suggestive. Thanks, Sébastien. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-01-26 10:40 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-01-25 15:43 + make-good_sigevent-non-static.patch added to -mm tree Oleg Nesterov 2007-01-26 9:32 ` Sébastien Dugué 2007-01-26 10:08 ` Oleg Nesterov 2007-01-26 10:39 ` Sébastien Dugué
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox