[PATCH 3.10 32/53] tty: Prevent untrappable signals from malicious program

From: Greg Kroah-Hartman
Date: Wed Mar 04 2015 - 03:28:56 EST


3.10-stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx>

commit 37480a05685ed5b8e1b9bf5e5c53b5810258b149 upstream.

Commit 26df6d13406d1a5 ("tty: Add EXTPROC support for LINEMODE")
allows a process which has opened a pty master to send _any_ signal
to the process group of the pty slave. Although potentially
exploitable by a malicious program running a setuid program on
a pty slave, it's unknown if this exploit currently exists.

Limit to signals actually used.

Cc: Theodore Ts'o <tytso@xxxxxxx>
Cc: Howard Chu <hyc@xxxxxxxxx>
Cc: One Thousand Gnomes <gnomes@xxxxxxxxxxxxxxxxxxx>
Cc: Jiri Slaby <jslaby@xxxxxxx>
Signed-off-by: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/tty/pty.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -215,6 +215,9 @@ static int pty_signal(struct tty_struct
unsigned long flags;
struct pid *pgrp;

+ if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP)
+ return -EINVAL;
+
if (tty->link) {
spin_lock_irqsave(&tty->link->ctrl_lock, flags);
pgrp = get_pid(tty->link->pgrp);


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/