From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Jan Kiszka <jan.kiszka@siemens.com>
Subject: [ 43/54] compat: Fix RT signal mask corruption via sigprocmask
Date: Fri, 18 May 2012 14:16:42 -0700 [thread overview]
Message-ID: <20120518211603.400350443@linuxfoundation.org> (raw)
In-Reply-To: <20120518212656.GA4992@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kiszka <jan.kiszka@siemens.com>
commit b7dafa0ef3145c31d7753be0a08b3cbda51f0209 upstream.
compat_sys_sigprocmask reads a smaller signal mask from userspace than
sigprogmask accepts for setting. So the high word of blocked.sig[0]
will be cleared, releasing any potentially blocked RT signal.
This was discovered via userspace code that relies on get/setcontext.
glibc's i386 versions of those functions use sigprogmask instead of
rt_sigprogmask to save/restore signal mask and caused RT signal
unblocking this way.
As suggested by Linus, this replaces the sys_sigprocmask based compat
version with one that open-codes the required logic, including the merge
of the existing blocked set with the new one provided on SIG_SETMASK.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/compat.c | 65 ++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 47 insertions(+), 18 deletions(-)
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -318,25 +318,54 @@ asmlinkage long compat_sys_sigpending(co
#ifdef __ARCH_WANT_SYS_SIGPROCMASK
-asmlinkage long compat_sys_sigprocmask(int how, compat_old_sigset_t __user *set,
- compat_old_sigset_t __user *oset)
+/*
+ * sys_sigprocmask SIG_SETMASK sets the first (compat) word of the
+ * blocked set of signals to the supplied signal set
+ */
+static inline void compat_sig_setmask(sigset_t *blocked, compat_sigset_word set)
{
- old_sigset_t s;
- long ret;
- mm_segment_t old_fs;
-
- if (set && get_user(s, set))
- return -EFAULT;
- old_fs = get_fs();
- set_fs(KERNEL_DS);
- ret = sys_sigprocmask(how,
- set ? (old_sigset_t __user *) &s : NULL,
- oset ? (old_sigset_t __user *) &s : NULL);
- set_fs(old_fs);
- if (ret == 0)
- if (oset)
- ret = put_user(s, oset);
- return ret;
+ memcpy(blocked->sig, &set, sizeof(set));
+}
+
+asmlinkage long compat_sys_sigprocmask(int how,
+ compat_old_sigset_t __user *nset,
+ compat_old_sigset_t __user *oset)
+{
+ old_sigset_t old_set, new_set;
+ sigset_t new_blocked;
+
+ old_set = current->blocked.sig[0];
+
+ if (nset) {
+ if (get_user(new_set, nset))
+ return -EFAULT;
+ new_set &= ~(sigmask(SIGKILL) | sigmask(SIGSTOP));
+
+ new_blocked = current->blocked;
+
+ switch (how) {
+ case SIG_BLOCK:
+ sigaddsetmask(&new_blocked, new_set);
+ break;
+ case SIG_UNBLOCK:
+ sigdelsetmask(&new_blocked, new_set);
+ break;
+ case SIG_SETMASK:
+ compat_sig_setmask(&new_blocked, new_set);
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ set_current_blocked(&new_blocked);
+ }
+
+ if (oset) {
+ if (put_user(old_set, oset))
+ return -EFAULT;
+ }
+
+ return 0;
}
#endif
next prev parent reply other threads:[~2012-05-18 21:16 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-18 21:26 [ 00/54] 3.0.32-stable review Greg KH
2012-05-18 21:16 ` [ 01/54] smsc95xx: mark link down on startup and let PHY interrupt deal with carrier changes Greg KH
2012-05-18 21:16 ` [ 02/54] xen/pte: Fix crashes when trying to see non-existent PGD/PMD/PUD/PTEs Greg KH
2012-05-18 21:16 ` [ 03/54] xen/pci: dont use PCI BIOS service for configuration space accesses Greg KH
2012-05-18 21:16 ` [ 04/54] percpu, x86: dont use PMD_SIZE as embedded atom_size on 32bit Greg KH
2012-05-18 21:16 ` [ 05/54] asm-generic: Use __BITS_PER_LONG in statfs.h Greg KH
2012-05-18 21:16 ` [ 06/54] Fix __read_seqcount_begin() to use ACCESS_ONCE for sequence value read Greg KH
2012-05-18 21:16 ` [ 07/54] ARM: 7410/1: Add extra clobber registers for assembly in kernel_execve Greg KH
2012-05-18 21:16 ` [ 08/54] ARM: 7414/1: SMP: prevent use of the console when using idmap_pgd Greg KH
2012-05-18 21:16 ` [ 09/54] regulator: Fix the logic to ensure new voltage setting in valid range Greg KH
2012-05-18 21:16 ` [ 10/54] ARM: orion5x: Fix GPIO enable bits for MPP9 Greg KH
2012-05-18 21:16 ` [ 11/54] asix: Fix tx transfer padding for full-speed USB Greg KH
2012-05-18 21:16 ` [ 12/54] netem: fix possible skb leak Greg KH
2012-05-18 21:16 ` [ 13/54] net: In unregister_netdevice_notifier unregister the netdevices Greg KH
2012-05-21 17:35 ` Herton Ronaldo Krzesinski
2012-05-27 0:13 ` Greg KH
2012-05-27 0:18 ` David Miller
2012-05-27 0:22 ` Greg KH
2012-05-18 21:16 ` [ 14/54] net: l2tp: unlock socket lock before returning from l2tp_ip_sendmsg Greg KH
2012-05-18 21:16 ` [ 15/54] sky2: propogate rx hash when packet is copied Greg KH
2012-05-18 21:16 ` [ 16/54] sky2: fix receive length error in mixed non-VLAN/VLAN traffic Greg KH
2012-05-18 21:16 ` [ 17/54] tg3: Avoid panic from reserved statblk field access Greg KH
2012-05-18 21:16 ` [ 18/54] sungem: Fix WakeOnLan Greg KH
2012-05-18 21:16 ` [ 19/54] tcp: change tcp_adv_win_scale and tcp_rmem[2] Greg KH
2012-05-18 21:16 ` [ 20/54] sony-laptop: Enable keyboard backlight by default Greg KH
2012-05-18 21:16 ` [ 21/54] ALSA: echoaudio: Remove incorrect part of assertion Greg KH
2012-05-18 21:16 ` [ 22/54] ALSA: HDA: Lessen CPU usage when waiting for chip to respond Greg KH
2012-05-18 21:16 ` [ 23/54] usbnet: fix skb traversing races during unlink(v2) Greg KH
2012-05-18 21:16 ` [ 24/54] namespaces, pid_ns: fix leakage on fork() failure Greg KH
2012-05-18 21:16 ` [ 25/54] sparc64: Do not clobber %g2 in xcall_fetch_glob_regs() Greg KH
2012-05-18 21:16 ` [ 26/54] ARM: prevent VM_GROWSDOWN mmaps extending below FIRST_USER_ADDRESS Greg KH
2012-05-18 21:16 ` [ 27/54] media: rc: Postpone ISR registration Greg KH
2012-05-18 21:16 ` [ 28/54] cdc_ether: Ignore bogus union descriptor for RNDIS devices Greg KH
2012-05-18 21:16 ` [ 29/54] cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN Greg KH
2012-05-18 21:16 ` [ 30/54] percpu: pcpu_embed_first_chunk() should free unused parts after all allocs are complete Greg KH
2012-05-18 21:16 ` [ 31/54] kmemleak: Fix the kmemleak tracking of the percpu areas with !SMP Greg KH
2012-05-19 13:27 ` Christoph Biedl
2012-05-19 14:46 ` Greg KH
2012-05-19 15:45 ` Christoph Biedl
2012-05-19 21:45 ` Catalin Marinas
2012-05-18 21:16 ` [ 32/54] hugetlb: prevent BUG_ON in hugetlb_fault() -> hugetlb_cow() Greg KH
2012-05-18 21:16 ` [ 33/54] mm: nobootmem: fix sign extend problem in __free_pages_memory() Greg KH
2012-05-18 21:16 ` [ 34/54] jffs2: Fix lock acquisition order bug in gc path Greg KH
2012-05-18 21:16 ` [ 35/54] arch/tile: apply commit 74fca9da0 to the compat signal handling as well Greg KH
2012-05-18 21:16 ` [ 36/54] crypto: mv_cesa requires on CRYPTO_HASH to build Greg KH
2012-05-18 21:16 ` [ 37/54] MD: Add del_timer_sync to mddev_suspend (fix nasty panic) Greg KH
2012-05-18 21:16 ` [ 38/54] tcp: do_tcp_sendpages() must try to push data out on oom conditions Greg KH
2012-05-18 21:16 ` [ 39/54] init: dont try mounting device as nfs root unless type fully matches Greg KH
2012-05-18 21:16 ` [ 40/54] ext4: avoid deadlock on sync-mounted FS w/o journal Greg KH
2012-05-18 21:16 ` [ 41/54] NFSv4: Revalidate uid/gid after open Greg KH
2012-05-18 21:16 ` [ 42/54] memcg: free spare array to avoid memory leak Greg KH
2012-05-18 21:16 ` Greg KH [this message]
2012-05-18 21:16 ` [ 44/54] ext3: Fix error handling on inode bitmap corruption Greg KH
2012-05-18 21:16 ` [ 45/54] ext4: fix " Greg KH
2012-05-18 21:16 ` [ 46/54] ACPI / PM: Add Sony Vaio VPCCW29FX to nonvs blacklist Greg KH
2012-05-18 21:16 ` [ 47/54] SCSI: hpsa: Add IRQF_SHARED back in for the non-MSI(X) interrupt handler Greg KH
2012-05-18 21:16 ` [ 48/54] wake up s_wait_unfrozen when ->freeze_fs fails Greg KH
2012-05-18 21:16 ` [ 49/54] pch_gpio: Support new device LAPIS Semiconductor ML7831 IOH Greg KH
2012-05-18 21:16 ` [ 50/54] pch_gbe: fixed the issue which receives an unnecessary packet Greg KH
2012-05-18 21:16 ` [ 51/54] pch_gbe: support ML7831 IOH Greg KH
2012-05-18 21:16 ` [ 52/54] pch_gbe: Fixed the issue on which PC was frozen when link was downed Greg KH
2012-05-18 21:16 ` [ 53/54] pch_gbe: Do not abort probe on bad MAC Greg KH
2012-05-18 21:16 ` [ 54/54] pch_gbe: memory corruption calling pch_gbe_validate_option() Greg KH
2012-05-19 1:01 ` [ 00/54] 3.0.32-stable review Steven Rostedt
2012-05-19 4:20 ` Greg KH
2012-05-20 2:01 ` [PATCH] pidmap: Use GFP_ATOMIC to allocate page (was: Re: [ 00/54] 3.0.32-stable review) Steven Rostedt
2012-05-20 2:32 ` David Rientjes
2012-05-20 19:03 ` Linus Torvalds
2012-05-20 23:22 ` David Rientjes
2012-05-20 23:35 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120518211603.400350443@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jan.kiszka@siemens.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).