From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C82203AF642 for ; Wed, 29 Apr 2026 08:29:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777451377; cv=none; b=ViAKEsFxEeaskKWen9EUSuDEjvxGxCle4pI9TtseSdFQIJHy/PIUlB6uCupBXtDQAsqy5e0MC35aYVSSA/QLEVgribiXI6Ng8xEU7S1niJG7z4ihFvjL58blYW76pZ7cpE4B28731518E60hSExnW+08ujt8SFU0zmzRxoZgzL4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777451377; c=relaxed/simple; bh=x66tJ1vro7lSndcdKsivH1IU3uymBCIuJjp32LkHDAQ=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=dgzeX4GBKasHF0gTKhRS7OO12tKGwSNDL+jJ1CcquZ+t8jGuhYL2T06I6t4JahZCtsUfx+aaW8dy73wPpWbBEdXiix2+YuDIhXlnpnrpJeVr+8msb4fjJ6N9si1OavGUzE9xclAx8s3H/VTeD21U5KTUrMqeFxkAsH6r2EWlrQY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=fKNtPnUi; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="fKNtPnUi" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1777451374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=vw2tkTJrmJCoKyYnuDaNezCFR0a14SMI4M4Bm/1UKQY=; b=fKNtPnUi/fgBH9ZO8jM6OtLT047kUCMq34Ng7YoghThc/VeHyUus9k/ZHMPTi/M5KXzdf8 ShXR5XsOsOOV9X+NQaGB25q61NV0SG+7s6jX/fgyCZejlnonC9v7PtAMlTlcznSPJzh/qy AehL2hRnBs1nyFrUIf1LEdfjGcx9+j8= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-187-ES7MVykTNKm1CQw_dBoGow-1; Wed, 29 Apr 2026 04:29:28 -0400 X-MC-Unique: ES7MVykTNKm1CQw_dBoGow-1 X-Mimecast-MFC-AGG-ID: ES7MVykTNKm1CQw_dBoGow_1777451367 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 1F4071800473; Wed, 29 Apr 2026 08:29:27 +0000 (UTC) Received: from fedora (unknown [10.44.48.22]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP id 021B919560AB; Wed, 29 Apr 2026 08:29:22 +0000 (UTC) Received: by fedora (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Wed, 29 Apr 2026 10:29:26 +0200 (CEST) Date: Wed, 29 Apr 2026 10:29:21 +0200 From: Oleg Nesterov To: Andrew Morton Cc: Andy Lutomirski , Kees Cook , Kusaram Devineni , Peter Zijlstra , Thomas Gleixner , Will Drewry , linux-kernel@vger.kernel.org Subject: [PATCH] signal: prevent evasion of SA_IMMUTABLE signals Message-ID: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 force_sig_info_to_task(HANDLER_EXIT) sets SA_IMMUTABLE to ensure a forced fatal signal cannot be ignored or caught by userspace; it must always terminate the target. However, if get_signal() dequeues another synchronous signal first, and that signal has a handler and its sa_mask includes the fatal SA_IMMUTABLE signal, the task can return to userspace and survive. So dequeue_synchronous_signal() must always dequeue an SA_IMMUTABLE signal first. But it relies on the SI_FROMKERNEL() check and picks the first one it sees in pending->list, and thus we have the following problems: - If the same signal was already pending and blocked, the new siginfo with .si_code > 0 will be lost. Change __send_signal_locked() to bypass the legacy_queue() check in this case. - If force_sig_info_to_task() races with another synchronous/SI_FROMKERNEL signal, that signal can be picked first. Change __send_signal_locked() to add an SA_IMMUTABLE at the start of pending->list. - SA_IMMUTABLE implies override_rlimit == true, but GFP_ATOMIC can fail anyway. Change __send_signal_locked() to escalate to SIGKILL in this (very unlikely) case. Not perfect and perhaps deserves WARN() or pr_warn_ratelimited(), but better than nothing. Signed-off-by: Oleg Nesterov --- kernel/signal.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/kernel/signal.c b/kernel/signal.c index 9924489c43a5..e4605daa8d04 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -1034,6 +1034,11 @@ static void complete_signal(int sig, struct task_struct *p, enum pid_type type) return; } +static inline bool sa_immutable(struct sighand_struct *sighand, int sig) +{ + return sighand->action[sig - 1].sa.sa_flags & SA_IMMUTABLE; +} + static inline bool legacy_queue(struct sigpending *signals, int sig) { return (sig < SIGRTMIN) && sigismember(&signals->signal, sig); @@ -1042,6 +1047,7 @@ static inline bool legacy_queue(struct sigpending *signals, int sig) static int __send_signal_locked(int sig, struct kernel_siginfo *info, struct task_struct *t, enum pid_type type, bool force) { + bool immutable = sa_immutable(t->sighand, sig); struct sigpending *pending; struct sigqueue *q; int override_rlimit; @@ -1055,12 +1061,12 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info, pending = (type != PIDTYPE_PID) ? &t->signal->shared_pending : &t->pending; /* - * Short-circuit ignored signals and support queuing - * exactly one non-rt signal, so that we can get more - * detailed information about the cause of the signal. + * Queue exactly one non-rt signal so that we can get more + * detailed information about the cause. But we must never + * lose the siginfo for an SA_IMMUTABLE signal. */ result = TRACE_SIGNAL_ALREADY_PENDING; - if (legacy_queue(pending, sig)) + if (legacy_queue(pending, sig) && !immutable) goto ret; result = TRACE_SIGNAL_DELIVERED; @@ -1087,7 +1093,12 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info, q = sigqueue_alloc(sig, t, GFP_ATOMIC, override_rlimit); if (q) { - list_add_tail(&q->list, &pending->list); + /* Ensure dequeue_synchronous_signal() sees SA_IMMUTABLE first */ + if (immutable) + list_add(&q->list, &pending->list); + else + list_add_tail(&q->list, &pending->list); + switch ((unsigned long) info) { case (unsigned long) SEND_SIG_NOINFO: clear_siginfo(&q->info); @@ -1130,6 +1141,9 @@ static int __send_signal_locked(int sig, struct kernel_siginfo *info, * send the signal, but the *info bits are lost. */ result = TRACE_SIGNAL_LOSE_INFO; + /* The task must not escape SA_IMMUTABLE; escalate to SIGKILL */ + if (immutable) + sig = SIGKILL; } out_set: -- 2.52.0