Commit 26df6d13406d1a5 ("tty: Add EXTPROC support for LINEMODE") allows a process which has opened a pty master to send _any_ signal to the process group of the pty slave. Although potentially exploitable by a malicious program running a setuid program on a pty slave, it's unknown if this exploit currently exists. Limit to signals actually used. Cc: Theodore Ts'o <tytso@xxxxxxx> Cc: Howard Chu <hyc@xxxxxxxxx> Cc: One Thousand Gnomes <gnomes@xxxxxxxxxxxxxxxxxxx> Cc: Jiri Slaby <jslaby@xxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> # 2.6.36+ Signed-off-by: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx> --- v2: Fixed stupidity. drivers/tty/pty.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c index a9d256d..6e1f150 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c @@ -210,6 +210,9 @@ static int pty_signal(struct tty_struct *tty, int sig) { struct pid *pgrp; + if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP) + return -EINVAL; + if (tty->link) { pgrp = tty_get_pgrp(tty->link); if (pgrp) -- 2.2.2 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html