Re: Bug (since v4.20): integer underflow in known_siginfo_layout() when sig=0

From: Eric W. Biederman
Date: Sat Jan 12 2019 - 12:43:28 EST

Next message: Guenter Roeck: "Re: [PATCH 4.9 00/63] 4.9.150-stable review"
Previous message: Guenter Roeck: "Re: [PATCH 4.4 00/88] 4.4.170-stable review"
In reply to: Eric Biggers: "Bug (since v4.20): integer underflow in known_siginfo_layout() when sig=0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eric Biggers <ebiggers@xxxxxxxxxx> writes:

> Hi Eric,
>
> The following commit, which went into v4.20, introduced undefined behavior when
> sys_rt_sigqueueinfo() is called with sig=0:

Ouch. Good catch.

It looks like the fix is just to do:

diff --git a/include/linux/signal.h b/include/linux/signal.h
index f428e86f4800..b5d99482d3fe 100644
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -388,7 +388,7 @@ extern bool unhandled_signal(struct task_struct *tsk, int sig);
#endif

#define siginmask(sig, mask) \
- ((sig) < SIGRTMIN && (rt_sigmask(sig) & (mask)))
+ ((sig) > 0 && (sig) < SIGRTMIN && (rt_sigmask(sig) & (mask)))

#define SIG_KERNEL_ONLY_MASK (\
rt_sigmask(SIGKILL) | rt_sigmask(SIGSTOP))

As gcc is smart enough to combine those two range tests into a single
comparison. That will ensure the undefined behavior does not byte
anyone else.

I will see about whipping up a proper patch.

Eric

Next message: Guenter Roeck: "Re: [PATCH 4.9 00/63] 4.9.150-stable review"
Previous message: Guenter Roeck: "Re: [PATCH 4.4 00/88] 4.4.170-stable review"
In reply to: Eric Biggers: "Bug (since v4.20): integer underflow in known_siginfo_layout() when sig=0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]