From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752550AbbJLP6J (ORCPT <rfc822;w@1wt.eu>);
	Mon, 12 Oct 2015 11:58:09 -0400
Received: from mx1.redhat.com ([209.132.183.28]:48759 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751659AbbJLP6H (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 12 Oct 2015 11:58:07 -0400
Date: Mon, 12 Oct 2015 17:54:44 +0200
From: Oleg Nesterov <oleg@redhat.com>
To: "Amanieu d'Antras" <amanieu@gmail.com>
Cc: linux-kernel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>,
        "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Subject: Re: [PATCH] signal: Make the si_code check in rt_[tg]sigqueueinfo
	stricter
Message-ID: <20151012155444.GA26302@redhat.com>
References: <1444664034-22446-1-git-send-email-amanieu@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1444664034-22446-1-git-send-email-amanieu@gmail.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/12, Amanieu d'Antras wrote:
>
> rt_sigqueueinfo and rt_tgsigqueueinfo check the value of si_code to
> prevent a process from spoofing a kernel-generated signal or one
> generated by kill/tgkill.
>
> Unfortunately this check failed to take into account the fact that
> the si_code value seen by a user process is only the low 16 bits of
> the value in the kernel. It was still possible to spoof any si_code
> by ORing 0xffff into the top 16 bits.

Confused...

> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -2989,7 +2989,7 @@ static int do_rt_sigqueueinfo(pid_t pid, int sig, siginfo_t *info)
>  	/* Not even root can pretend to send signals from the kernel.
>  	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
>  	 */
> -	if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
> +	if (((short)info->si_code >= 0 || (short)info->si_code == SI_TKILL) &&
>  	    (task_pid_vnr(current) != pid))
>  		return -EPERM;
>
> @@ -3037,7 +3037,7 @@ static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info)
>  	/* Not even root can pretend to send signals from the kernel.
>  	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
>  	 */
> -	if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
> +	if (((short)info->si_code >= 0 || (short)info->si_code == SI_TKILL) &&
>  	    (task_pid_vnr(current) != pid))
>  		return -EPERM;

Yes, copy_siginfo_to_user() does __put_user((short)from->si_code).
But SI_FROMUSER/SI_FROMKERNEL are internal kernel checks, we mostly
use them in copy_siginfo_to_user().

And note that if ->si_code < 0 we simply do __copy_to_user(), so
userspace can't see something which looks like "from kernel", in
this case we do not truncate ->si_code.

So I do not think this patch is right.

Oleg.