From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Yoji <yoji.fujihar.min@gmail.com>,
Oleg Nesterov <oleg@redhat.com>,
Manfred Spraul <manfred@colorfullife.com>,
Andrew Morton <akpm@linux-foundation.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Davidlohr Bueso <dave@stgolabs.net>,
Markus Elfring <elfring@users.sourceforge.net>,
1vier1@web.de, Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 48/48] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()
Date: Wed, 13 May 2020 11:45:14 +0200 [thread overview]
Message-ID: <20200513094405.122260162@linuxfoundation.org> (raw)
In-Reply-To: <20200513094351.100352960@linuxfoundation.org>
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit b5f2006144c6ae941726037120fa1001ddede784 ]
Commit cc731525f26a ("signal: Remove kernel interal si_code magic")
changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify() no
longer works if the sender doesn't have rights to send a signal.
Change __do_notify() to use do_send_sig_info() instead of kill_pid_info()
to avoid check_kill_permission().
This needs the additional notify.sigev_signo != 0 check, shouldn't we
change do_mq_notify() to deny sigev_signo == 0 ?
Test-case:
#include <signal.h>
#include <mqueue.h>
#include <unistd.h>
#include <sys/wait.h>
#include <assert.h>
static int notified;
static void sigh(int sig)
{
notified = 1;
}
int main(void)
{
signal(SIGIO, sigh);
int fd = mq_open("/mq", O_RDWR|O_CREAT, 0666, NULL);
assert(fd >= 0);
struct sigevent se = {
.sigev_notify = SIGEV_SIGNAL,
.sigev_signo = SIGIO,
};
assert(mq_notify(fd, &se) == 0);
if (!fork()) {
assert(setuid(1) == 0);
mq_send(fd, "",1,0);
return 0;
}
wait(NULL);
mq_unlink("/mq");
assert(notified);
return 0;
}
[manfred@colorfullife.com: 1) Add self_exec_id evaluation so that the implementation matches do_notify_parent 2) use PIDTYPE_TGID everywhere]
Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic")
Reported-by: Yoji <yoji.fujihar.min@gmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Markus Elfring <elfring@users.sourceforge.net>
Cc: <1vier1@web.de>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/e2a782e4-eab9-4f5c-c749-c07a8f7a4e66@colorfullife.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
ipc/mqueue.c | 34 ++++++++++++++++++++++++++--------
1 file changed, 26 insertions(+), 8 deletions(-)
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index de4070d5472f2..46d0265423f5b 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -76,6 +76,7 @@ struct mqueue_inode_info {
struct sigevent notify;
struct pid *notify_owner;
+ u32 notify_self_exec_id;
struct user_namespace *notify_user_ns;
struct user_struct *user; /* user who created, for accounting */
struct sock *notify_sock;
@@ -662,28 +663,44 @@ static void __do_notify(struct mqueue_inode_info *info)
* synchronously. */
if (info->notify_owner &&
info->attr.mq_curmsgs == 1) {
- struct siginfo sig_i;
switch (info->notify.sigev_notify) {
case SIGEV_NONE:
break;
- case SIGEV_SIGNAL:
- /* sends signal */
+ case SIGEV_SIGNAL: {
+ struct siginfo sig_i;
+ struct task_struct *task;
+
+ /* do_mq_notify() accepts sigev_signo == 0, why?? */
+ if (!info->notify.sigev_signo)
+ break;
clear_siginfo(&sig_i);
sig_i.si_signo = info->notify.sigev_signo;
sig_i.si_errno = 0;
sig_i.si_code = SI_MESGQ;
sig_i.si_value = info->notify.sigev_value;
- /* map current pid/uid into info->owner's namespaces */
rcu_read_lock();
+ /* map current pid/uid into info->owner's namespaces */
sig_i.si_pid = task_tgid_nr_ns(current,
ns_of_pid(info->notify_owner));
- sig_i.si_uid = from_kuid_munged(info->notify_user_ns, current_uid());
+ sig_i.si_uid = from_kuid_munged(info->notify_user_ns,
+ current_uid());
+ /*
+ * We can't use kill_pid_info(), this signal should
+ * bypass check_kill_permission(). It is from kernel
+ * but si_fromuser() can't know this.
+ * We do check the self_exec_id, to avoid sending
+ * signals to programs that don't expect them.
+ */
+ task = pid_task(info->notify_owner, PIDTYPE_TGID);
+ if (task && task->self_exec_id ==
+ info->notify_self_exec_id) {
+ do_send_sig_info(info->notify.sigev_signo,
+ &sig_i, task, PIDTYPE_TGID);
+ }
rcu_read_unlock();
-
- kill_pid_info(info->notify.sigev_signo,
- &sig_i, info->notify_owner);
break;
+ }
case SIGEV_THREAD:
set_cookie(info->notify_cookie, NOTIFY_WOKENUP);
netlink_sendskb(info->notify_sock, info->notify_cookie);
@@ -1273,6 +1290,7 @@ retry:
info->notify.sigev_signo = notification->sigev_signo;
info->notify.sigev_value = notification->sigev_value;
info->notify.sigev_notify = SIGEV_SIGNAL;
+ info->notify_self_exec_id = current->self_exec_id;
break;
}
--
2.20.1
next prev parent reply other threads:[~2020-05-13 10:04 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 9:44 [PATCH 4.19 00/48] 4.19.123-rc1 review Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 01/48] USB: serial: qcserial: Add DW5816e support Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 02/48] tracing/kprobes: Fix a double initialization typo Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 03/48] vt: fix unicode console freeing with a common interface Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 04/48] dp83640: reverse arguments to list_add_tail Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 05/48] fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 06/48] net: macsec: preserve ingress frame ordering Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 07/48] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 08/48] net_sched: sch_skbprio: add message validation to skbprio_change() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 09/48] net: usb: qmi_wwan: add support for DW5816e Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 10/48] sch_choke: avoid potential panic in choke_reset() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 11/48] sch_sfq: validate silly quantum values Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 12/48] tipc: fix partial topology connection closure Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 13/48] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 14/48] net/mlx5: Fix forced completion access non initialized command entry Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 15/48] net/mlx5: Fix command entry leak in Internal Error State Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 16/48] bnxt_en: Improve AER slot reset Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 17/48] bnxt_en: Fix VF anti-spoof filter setup Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 18/48] net: stricter validation of untrusted gso packets Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 19/48] HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 20/48] sctp: Fix bundling of SHUTDOWN with COOKIE-ACK Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 21/48] HID: usbhid: Fix race between usbhid_close() and usbhid_stop() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 22/48] USB: uas: add quirk for LaCie 2Big Quadra Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 23/48] USB: serial: garmin_gps: add sanity checking for data length Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 24/48] tracing: Add a vmalloc_sync_mappings() for safe measure Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 25/48] KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 26/48] KVM: arm64: Fix 32bit PC wrap-around Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 27/48] arm64: hugetlb: avoid potential NULL dereference Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 28/48] mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 29/48] staging: gasket: Check the return value of gasket_get_bar_index() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 30/48] coredump: fix crash when umh is disabled Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 31/48] KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 32/48] KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()s asm blob Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 33/48] batman-adv: fix batadv_nc_random_weight_tq Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 34/48] batman-adv: Fix refcnt leak in batadv_show_throughput_override Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 35/48] batman-adv: Fix refcnt leak in batadv_store_throughput_override Greg Kroah-Hartman
2020-05-13 21:03 ` Pavel Machek
2020-05-13 9:45 ` [PATCH 4.19 36/48] batman-adv: Fix refcnt leak in batadv_v_ogm_process Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 37/48] x86/entry/64: Fix unwind hints in register clearing code Greg Kroah-Hartman
2020-05-13 21:48 ` Pavel Machek
2020-05-14 19:27 ` Josh Poimboeuf
2020-05-13 9:45 ` [PATCH 4.19 38/48] x86/entry/64: Fix unwind hints in kernel exit path Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 39/48] x86/entry/64: Fix unwind hints in rewind_stack_do_exit() Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 40/48] x86/unwind/orc: Dont skip the first frame for inactive tasks Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 41/48] x86/unwind/orc: Prevent unwinding before ORC initialization Greg Kroah-Hartman
2020-05-13 21:52 ` Pavel Machek
2020-05-14 19:44 ` Josh Poimboeuf
2020-05-14 20:13 ` Pavel Machek
2020-05-14 20:28 ` Josh Poimboeuf
2020-05-13 9:45 ` [PATCH 4.19 42/48] x86/unwind/orc: Fix error path for bad ORC entry type Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 43/48] x86/unwind/orc: Fix premature unwind stoppage due to IRET frames Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 44/48] netfilter: nat: never update the UDP checksum when its 0 Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 45/48] netfilter: nf_osf: avoid passing pointer to local var Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 46/48] objtool: Fix stack offset tracking for indirect CFAs Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 47/48] scripts/decodecode: fix trapping instruction formatting Greg Kroah-Hartman
2020-05-13 9:45 ` Greg Kroah-Hartman [this message]
2020-05-13 13:45 ` [PATCH 4.19 00/48] 4.19.123-rc1 review Jon Hunter
2020-05-13 17:03 ` Guenter Roeck
2020-05-13 18:14 ` Naresh Kamboju
2020-05-13 19:29 ` Chris Paterson
2020-05-13 23:02 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200513094405.122260162@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=1vier1@web.de \
--cc=akpm@linux-foundation.org \
--cc=dave@stgolabs.net \
--cc=ebiederm@xmission.com \
--cc=elfring@users.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=oleg@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=yoji.fujihar.min@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox