[PATCH 1/1] __send_signal: pass q->info, not info, to userns_fixup_signal_uid (v2)

[PATCH 1/1] __send_signal: pass q->info, not info, to userns_fixup_signal_uid (v2)

[Serge Hallyn]

Eric Biederman pointed out that passing info is a bug and could lead
to a NULL pointer deref to boot.

A collection of signal, securebits, filecaps, cap_bounds, and a few other ltp
tests passed with this kernel.

Changelog:
    Nov 18: previous patch missed a leading '&'

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
---
 kernel/signal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/kernel/signal.c b/kernel/signal.c
index c0f0782..170586b 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1118,7 +1118,7 @@ static int __send_signal(int sig, struct siginfo *info, struct task_struct *t,
 			break;
 		}
 
-		userns_fixup_signal_uid(info, t);
+		userns_fixup_signal_uid(&q->info, t);
 
 	} else if (!is_si_special(info)) {
 		if (sig >= SIGRTMIN && info->si_code != SI_USER) {
-- 
1.7.5.4

Re: [PATCH 1/1] __send_signal: pass q->info, not info, to userns_fixup_signal_uid (v2)

[Jiri Slaby]

On 11/19/2011 01:41 AM, Serge Hallyn wrote:
> Eric Biederman pointed out that passing info is a bug and could lead
> to a NULL pointer deref to boot.

It would be great if you could describe what bug you are fixing in fact
in the commit log. "Something that could lead to a bug" is not helpful
at all.

A link to the thread where Eric pointed *that* out would be enough.

> A collection of signal, securebits, filecaps, cap_bounds, and a few other ltp
> tests passed with this kernel.
> 
> Changelog:
>     Nov 18: previous patch missed a leading '&'
> 
> Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
> ---
>  kernel/signal.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/kernel/signal.c b/kernel/signal.c
> index c0f0782..170586b 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -1118,7 +1118,7 @@ static int __send_signal(int sig, struct siginfo *info, struct task_struct *t,
>  			break;
>  		}
>  
> -		userns_fixup_signal_uid(info, t);
> +		userns_fixup_signal_uid(&q->info, t);
>  
>  	} else if (!is_si_special(info)) {
>  		if (sig >= SIGRTMIN && info->si_code != SI_USER) {

thanks,
-- 
js

Re: [PATCH 1/1] __send_signal: pass q->info, not info, to userns_fixup_signal_uid (v2)

[Andrew Morton]

On Sat, 19 Nov 2011 17:06:49 +0100
Jiri Slaby <jirislaby@gmail.com> wrote:

> On 11/19/2011 01:41 AM, Serge Hallyn wrote:
> > Eric Biederman pointed out that passing info is a bug and could lead
> > to a NULL pointer deref to boot.
> 
> It would be great if you could describe what bug you are fixing in fact
> in the commit log. "Something that could lead to a bug" is not helpful
> at all.
> 
> A link to the thread where Eric pointed *that* out would be enough.

What Serge is secretly hiding from everyone is that this patch is a
fixup against his earlier "user namespace: make signal.c respect user
namespaces v5".  So the fix isn't very interesting for people who
aren't running that patch.