mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-23 12:14:10 +08:00
ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()
Commitcc731525f2
("signal: Remove kernel interal si_code magic") changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify() no longer works if the sender doesn't have rights to send a signal. Change __do_notify() to use do_send_sig_info() instead of kill_pid_info() to avoid check_kill_permission(). This needs the additional notify.sigev_signo != 0 check, shouldn't we change do_mq_notify() to deny sigev_signo == 0 ? Test-case: #include <signal.h> #include <mqueue.h> #include <unistd.h> #include <sys/wait.h> #include <assert.h> static int notified; static void sigh(int sig) { notified = 1; } int main(void) { signal(SIGIO, sigh); int fd = mq_open("/mq", O_RDWR|O_CREAT, 0666, NULL); assert(fd >= 0); struct sigevent se = { .sigev_notify = SIGEV_SIGNAL, .sigev_signo = SIGIO, }; assert(mq_notify(fd, &se) == 0); if (!fork()) { assert(setuid(1) == 0); mq_send(fd, "",1,0); return 0; } wait(NULL); mq_unlink("/mq"); assert(notified); return 0; } [manfred@colorfullife.com: 1) Add self_exec_id evaluation so that the implementation matches do_notify_parent 2) use PIDTYPE_TGID everywhere] Fixes:cc731525f2
("signal: Remove kernel interal si_code magic") Reported-by: Yoji <yoji.fujihar.min@gmail.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Markus Elfring <elfring@users.sourceforge.net> Cc: <1vier1@web.de> Cc: <stable@vger.kernel.org> Link: http://lkml.kernel.org/r/e2a782e4-eab9-4f5c-c749-c07a8f7a4e66@colorfullife.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
a811c1fa0a
commit
b5f2006144
34
ipc/mqueue.c
34
ipc/mqueue.c
@ -142,6 +142,7 @@ struct mqueue_inode_info {
|
|||||||
|
|
||||||
struct sigevent notify;
|
struct sigevent notify;
|
||||||
struct pid *notify_owner;
|
struct pid *notify_owner;
|
||||||
|
u32 notify_self_exec_id;
|
||||||
struct user_namespace *notify_user_ns;
|
struct user_namespace *notify_user_ns;
|
||||||
struct user_struct *user; /* user who created, for accounting */
|
struct user_struct *user; /* user who created, for accounting */
|
||||||
struct sock *notify_sock;
|
struct sock *notify_sock;
|
||||||
@ -773,28 +774,44 @@ static void __do_notify(struct mqueue_inode_info *info)
|
|||||||
* synchronously. */
|
* synchronously. */
|
||||||
if (info->notify_owner &&
|
if (info->notify_owner &&
|
||||||
info->attr.mq_curmsgs == 1) {
|
info->attr.mq_curmsgs == 1) {
|
||||||
struct kernel_siginfo sig_i;
|
|
||||||
switch (info->notify.sigev_notify) {
|
switch (info->notify.sigev_notify) {
|
||||||
case SIGEV_NONE:
|
case SIGEV_NONE:
|
||||||
break;
|
break;
|
||||||
case SIGEV_SIGNAL:
|
case SIGEV_SIGNAL: {
|
||||||
/* sends signal */
|
struct kernel_siginfo sig_i;
|
||||||
|
struct task_struct *task;
|
||||||
|
|
||||||
|
/* do_mq_notify() accepts sigev_signo == 0, why?? */
|
||||||
|
if (!info->notify.sigev_signo)
|
||||||
|
break;
|
||||||
|
|
||||||
clear_siginfo(&sig_i);
|
clear_siginfo(&sig_i);
|
||||||
sig_i.si_signo = info->notify.sigev_signo;
|
sig_i.si_signo = info->notify.sigev_signo;
|
||||||
sig_i.si_errno = 0;
|
sig_i.si_errno = 0;
|
||||||
sig_i.si_code = SI_MESGQ;
|
sig_i.si_code = SI_MESGQ;
|
||||||
sig_i.si_value = info->notify.sigev_value;
|
sig_i.si_value = info->notify.sigev_value;
|
||||||
/* map current pid/uid into info->owner's namespaces */
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
|
/* map current pid/uid into info->owner's namespaces */
|
||||||
sig_i.si_pid = task_tgid_nr_ns(current,
|
sig_i.si_pid = task_tgid_nr_ns(current,
|
||||||
ns_of_pid(info->notify_owner));
|
ns_of_pid(info->notify_owner));
|
||||||
sig_i.si_uid = from_kuid_munged(info->notify_user_ns, current_uid());
|
sig_i.si_uid = from_kuid_munged(info->notify_user_ns,
|
||||||
|
current_uid());
|
||||||
|
/*
|
||||||
|
* We can't use kill_pid_info(), this signal should
|
||||||
|
* bypass check_kill_permission(). It is from kernel
|
||||||
|
* but si_fromuser() can't know this.
|
||||||
|
* We do check the self_exec_id, to avoid sending
|
||||||
|
* signals to programs that don't expect them.
|
||||||
|
*/
|
||||||
|
task = pid_task(info->notify_owner, PIDTYPE_TGID);
|
||||||
|
if (task && task->self_exec_id ==
|
||||||
|
info->notify_self_exec_id) {
|
||||||
|
do_send_sig_info(info->notify.sigev_signo,
|
||||||
|
&sig_i, task, PIDTYPE_TGID);
|
||||||
|
}
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
|
||||||
kill_pid_info(info->notify.sigev_signo,
|
|
||||||
&sig_i, info->notify_owner);
|
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
case SIGEV_THREAD:
|
case SIGEV_THREAD:
|
||||||
set_cookie(info->notify_cookie, NOTIFY_WOKENUP);
|
set_cookie(info->notify_cookie, NOTIFY_WOKENUP);
|
||||||
netlink_sendskb(info->notify_sock, info->notify_cookie);
|
netlink_sendskb(info->notify_sock, info->notify_cookie);
|
||||||
@ -1383,6 +1400,7 @@ retry:
|
|||||||
info->notify.sigev_signo = notification->sigev_signo;
|
info->notify.sigev_signo = notification->sigev_signo;
|
||||||
info->notify.sigev_value = notification->sigev_value;
|
info->notify.sigev_value = notification->sigev_value;
|
||||||
info->notify.sigev_notify = SIGEV_SIGNAL;
|
info->notify.sigev_notify = SIGEV_SIGNAL;
|
||||||
|
info->notify_self_exec_id = current->self_exec_id;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user