From: Oleg Nesterov oleg@redhat.com Subject: ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()
Commit cc731525f26a ("signal: Remove kernel interal si_code magic") changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify() no longer works if the sender doesn't have rights to send a signal.
Change __do_notify() to use do_send_sig_info() instead of kill_pid_info() to avoid check_kill_permission().
This needs the additional notify.sigev_signo != 0 check, shouldn't we change do_mq_notify() to deny sigev_signo == 0 ?
Test-case:
#include <signal.h> #include <mqueue.h> #include <unistd.h> #include <sys/wait.h> #include <assert.h>
static int notified;
static void sigh(int sig) { notified = 1; }
int main(void) { signal(SIGIO, sigh);
int fd = mq_open("/mq", O_RDWR|O_CREAT, 0666, NULL); assert(fd >= 0);
struct sigevent se = { .sigev_notify = SIGEV_SIGNAL, .sigev_signo = SIGIO, }; assert(mq_notify(fd, &se) == 0);
if (!fork()) { assert(setuid(1) == 0); mq_send(fd, "",1,0); return 0; }
wait(NULL); mq_unlink("/mq"); assert(notified); return 0; }
[manfred@colorfullife.com: 1) Add self_exec_id evaluation so that the implementation matches do_notify_parent 2) use PIDTYPE_TGID everywhere] Link: http://lkml.kernel.org/r/e2a782e4-eab9-4f5c-c749-c07a8f7a4e66@colorfullife.c... Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic") Reported-by: Yoji yoji.fujihar.min@gmail.com Signed-off-by: Oleg Nesterov oleg@redhat.com Signed-off-by: Manfred Spraul manfred@colorfullife.com Acked-by: "Eric W. Biederman" ebiederm@xmission.com Cc: Davidlohr Bueso dave@stgolabs.net Cc: Markus Elfring elfring@users.sourceforge.net Cc: 1vier1@web.de Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---
ipc/mqueue.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-)
--- a/ipc/mqueue.c~ipc-mqueuec-change-__do_notify-to-bypass-check_kill_permission-v2 +++ a/ipc/mqueue.c @@ -142,6 +142,7 @@ struct mqueue_inode_info {
struct sigevent notify; struct pid *notify_owner; + u32 notify_self_exec_id; struct user_namespace *notify_user_ns; struct user_struct *user; /* user who created, for accounting */ struct sock *notify_sock; @@ -773,28 +774,44 @@ static void __do_notify(struct mqueue_in * synchronously. */ if (info->notify_owner && info->attr.mq_curmsgs == 1) { - struct kernel_siginfo sig_i; switch (info->notify.sigev_notify) { case SIGEV_NONE: break; - case SIGEV_SIGNAL: - /* sends signal */ + case SIGEV_SIGNAL: { + struct kernel_siginfo sig_i; + struct task_struct *task; + + /* do_mq_notify() accepts sigev_signo == 0, why?? */ + if (!info->notify.sigev_signo) + break;
clear_siginfo(&sig_i); sig_i.si_signo = info->notify.sigev_signo; sig_i.si_errno = 0; sig_i.si_code = SI_MESGQ; sig_i.si_value = info->notify.sigev_value; - /* map current pid/uid into info->owner's namespaces */ rcu_read_lock(); + /* map current pid/uid into info->owner's namespaces */ sig_i.si_pid = task_tgid_nr_ns(current, ns_of_pid(info->notify_owner)); - sig_i.si_uid = from_kuid_munged(info->notify_user_ns, current_uid()); + sig_i.si_uid = from_kuid_munged(info->notify_user_ns, + current_uid()); + /* + * We can't use kill_pid_info(), this signal should + * bypass check_kill_permission(). It is from kernel + * but si_fromuser() can't know this. + * We do check the self_exec_id, to avoid sending + * signals to programs that don't expect them. + */ + task = pid_task(info->notify_owner, PIDTYPE_TGID); + if (task && task->self_exec_id == + info->notify_self_exec_id) { + do_send_sig_info(info->notify.sigev_signo, + &sig_i, task, PIDTYPE_TGID); + } rcu_read_unlock(); - - kill_pid_info(info->notify.sigev_signo, - &sig_i, info->notify_owner); break; + } case SIGEV_THREAD: set_cookie(info->notify_cookie, NOTIFY_WOKENUP); netlink_sendskb(info->notify_sock, info->notify_cookie); @@ -1383,6 +1400,7 @@ retry: info->notify.sigev_signo = notification->sigev_signo; info->notify.sigev_value = notification->sigev_value; info->notify.sigev_notify = SIGEV_SIGNAL; + info->notify_self_exec_id = current->self_exec_id; break; }
_
Hi
[This is an automated email]
This commit has been processed because it contains a "Fixes:" tag fixing commit: cc731525f26a ("signal: Remove kernel interal si_code magic").
The bot has tested the following trees: v5.6.11, v5.4.39, v4.19.121, v4.14.179.
v5.6.11: Build OK! v5.4.39: Build OK! v4.19.121: Failed to apply! Possible dependencies: 4cd2e0e70af6 ("signal: Introduce copy_siginfo_from_user and use it's return value") ae7795bc6187 ("signal: Distinguish between kernel_siginfo and siginfo") efc463adbccf ("signal: Simplify tracehook_report_syscall_exit")
v4.14.179: Failed to apply! Possible dependencies: 212a36a17efe ("signal: Unify and correct copy_siginfo_from_user32") 3eb0f5193b49 ("signal: Ensure every siginfo we send has all bits initialized") 3f7c86b2382e ("arm64: Update fault_info table with new exception types") 526c3ddb6aa2 ("signal/arm64: Document conflicts with SI_USER and SIGFPE,SIGTRAP,SIGBUS") 532826f3712b ("arm64: Mirror arm for unimplemented compat syscalls") 6b4f3d01052a ("usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill") 92ff0674f5d8 ("arm64: mm: Rework unhandled user pagefaults to call arm64_force_sig_info") ae7795bc6187 ("signal: Distinguish between kernel_siginfo and siginfo") af40ff687bc9 ("arm64: signal: Ensure si_code is valid for all fault signals") b713da69e4c9 ("signal: unify compat_siginfo_t") ea64d5acc8f0 ("signal: Unify and correct copy_siginfo_to_user32") efc463adbccf ("signal: Simplify tracehook_report_syscall_exit")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
linux-stable-mirror@lists.linaro.org
-
Andrew Morton -
Sasha Levin