On Wed, Feb 14, 2024 at 01:36:56PM +0100, Oleg Nesterov wrote:
> On 02/10, Oleg Nesterov wrote:
> >
> > On 02/10, Christian Brauner wrote:
> > >
> > > + if (type == PIDFD_SIGNAL_PROCESS_GROUP)
> > > + ret = kill_pgrp_info(sig, &kinfo, pid);
> >
> > I guess you meant
> >
> > if (type == PIDTYPE_PGID)
> >
> > other than that,
> >
> > Reviewed-by: Oleg Nesterov <oleg@xxxxxxxxxx>
>
> Yes, but there is another thing I hadn't thought of...
>
> sys_pidfd_send_signal() does
>
> /* Only allow sending arbitrary signals to yourself. */
> ret = -EPERM;
> if ((task_pid(current) != pid) &&
> (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL))
> goto err;
>
> and I am not sure that task_pid(current) == pid should allow
> the "arbitrary signals" if PIDFD_SIGNAL_PROCESS_GROUP.
>
> Perhaps
>
> /* Only allow sending arbitrary signals to yourself. */
> ret = -EPERM;
> if ((task_pid(current) != pid || type == PIDTYPE_PGID) &&
> (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)
> goto err;
Honestly, we should probably just do:
if (kinfo->si_code != SI_USER)
goto err
and be done with it. If we get regressions reports about this then it's
easy to fix that up. But I find that unlikely. So why not try to get
away with something much simpler. What do you think?
>From 82a0d641e6f0bcf1a81731e06462df6911ecdd4e Mon Sep 17 00:00:00 2001
From: Christian Brauner <brauner@xxxxxxxxxx>
Date: Fri, 16 Feb 2024 13:21:11 +0100
Subject: [PATCH] signal: disallow non-SI_USER signals in pidfd_send_signal()
Oleg pointed out that the following condition:
/* Only allow sending arbitrary signals to yourself. */
ret = -EPERM;
if ((task_pid(current) != pid) &&
(kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL))
goto err;
doesn't account for PIDFD_SIGNAL_PROCESS_GROUP. He suggested:
/* Only allow sending arbitrary signals to yourself. */
ret = -EPERM;
if ((task_pid(current) != pid || type == PIDTYPE_PGID) &&
(kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)
goto err;
but I think we should just go all the way and error out if userspace
specifies anything else than SI_USER as si_code. It's probably an unused
feature right now anyway and if someone needs it than it's easy to add
back.
Reported-by: Oleg Nesterov <oleg@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20240214123655.GB16265@xxxxxxxxxx
Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
---
kernel/signal.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/kernel/signal.c b/kernel/signal.c
index cf6539a6b1cb..92a80e8d6b22 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3954,10 +3954,7 @@ SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, int, sig,
if (unlikely(sig != kinfo.si_signo))
goto err;
- /* Only allow sending arbitrary signals to yourself. */
- ret = -EPERM;
- if ((task_pid(current) != pid) &&
- (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL))
+ if (kinfo.si_code != SI_USER)
goto err;
} else {
prepare_kill_siginfo(sig, &kinfo, type);
--
2.43.0
