From patchwork Wed Apr 1 21:05:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 228276 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD661C43331 for ; Wed, 1 Apr 2020 21:05:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A81412073B for ; Wed, 1 Apr 2020 21:05:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585775117; bh=VP1PZxxv1lKQ8jipV2r+luxeQ1i0P65eEd3U9TIYjeE=; h=Date:From:To:Subject:List-ID:From; b=F9/u5FSVrXhQR83shfH06CJVLzONKhYicJ2sXk5xo4xYKUSYXLALCc3gCl3PJ01EZ QuB/RU/Ifuo+Yih/CDsTBjgqVVJmuOmgiPV1q5rajSehbyxr7s7JBryCYKkhGPk/bZ k2NzH7CIpGfyvnYUnbojwimPHb2Zx3bxyl494zGk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732428AbgDAVFR (ORCPT ); Wed, 1 Apr 2020 17:05:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:58692 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732337AbgDAVFR (ORCPT ); Wed, 1 Apr 2020 17:05:17 -0400 Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E3A0D2054F; Wed, 1 Apr 2020 21:05:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585775116; bh=VP1PZxxv1lKQ8jipV2r+luxeQ1i0P65eEd3U9TIYjeE=; h=Date:From:To:Subject:From; b=P9IVvS3TakVmPoZFcRaHoJXbhNlF62bNUYb0maQxyVZbxze8HyMEnLCZolyG+rcik h5hg1SN0xXOmY5d69zqvrJOAKSgoWDhUUOSBH+tc7fnX44aJ8ZeiIrpms/8CRcJbrk uc/fXVVHnp8ifEViylmDYYaOEe78vavJQOXf2V9U= Date: Wed, 01 Apr 2020 14:05:15 -0700 From: akpm@linux-foundation.org To: dave@stgolabs.net, ebiederm@xmission.com, elfring@users.sourceforge.net, manfred@colorfullife.com, mm-commits@vger.kernel.org, oleg@redhat.com, stable@vger.kernel.org, yoji.fujihar.min@gmail.com Subject: [to-be-updated] ipc-mqueuec-change-__do_notify-to-bypass-check_kill_permission.patch removed from -mm tree Message-ID: <20200401210515.gMDMliL6Y%akpm@linux-foundation.org> User-Agent: s-nail v14.8.16 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch titled Subject: ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() has been removed from the -mm tree. Its filename was ipc-mqueuec-change-__do_notify-to-bypass-check_kill_permission.patch This patch was dropped because an updated version will be merged ------------------------------------------------------ From: Oleg Nesterov Subject: ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Commit cc731525f26a ("signal: Remove kernel interal si_code magic") changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify() no longer works if the sender doesn't have rights to send a signal. Change __do_notify() to use do_send_sig_info() instead of kill_pid_info() to avoid check_kill_permission(). This needs the additional notify.sigev_signo != 0 check, shouldn't we change do_mq_notify() to deny sigev_signo == 0 ? Test-case: #include #include #include #include #include static int notified; static void sigh(int sig) { notified = 1; } int main(void) { signal(SIGIO, sigh); int fd = mq_open("/mq", O_RDWR|O_CREAT, 0666, NULL); assert(fd >= 0); struct sigevent se = { .sigev_notify = SIGEV_SIGNAL, .sigev_signo = SIGIO, }; assert(mq_notify(fd, &se) == 0); if (!fork()) { assert(setuid(1) == 0); mq_send(fd, "",1,0); return 0; } wait(NULL); mq_unlink("/mq"); assert(notified); return 0; } [oleg@redhat.com: s/PIDTYPE_PID/PIDTYPE_TGID/, per Eric] Link: http://lkml.kernel.org/r/20200327195643.GA9366@redhat.com Link: http://lkml.kernel.org/r/20200324200932.GB24230@redhat.com Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic") Reported-by: Yoji Signed-off-by: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Davidlohr Bueso Cc: Manfred Spraul Cc: Markus Elfring Cc: Signed-off-by: Andrew Morton --- ipc/mqueue.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) --- a/ipc/mqueue.c~ipc-mqueuec-change-__do_notify-to-bypass-check_kill_permission +++ a/ipc/mqueue.c @@ -774,28 +774,40 @@ static void __do_notify(struct mqueue_in * synchronously. */ if (info->notify_owner && info->attr.mq_curmsgs == 1) { - struct kernel_siginfo sig_i; switch (info->notify.sigev_notify) { case SIGEV_NONE: break; - case SIGEV_SIGNAL: - /* sends signal */ + case SIGEV_SIGNAL: { + struct kernel_siginfo sig_i; + struct task_struct *task; + + /* do_mq_notify() accepts sigev_signo == 0, why?? */ + if (!info->notify.sigev_signo) + break; clear_siginfo(&sig_i); sig_i.si_signo = info->notify.sigev_signo; sig_i.si_errno = 0; sig_i.si_code = SI_MESGQ; sig_i.si_value = info->notify.sigev_value; - /* map current pid/uid into info->owner's namespaces */ rcu_read_lock(); + /* map current pid/uid into info->owner's namespaces */ sig_i.si_pid = task_tgid_nr_ns(current, ns_of_pid(info->notify_owner)); - sig_i.si_uid = from_kuid_munged(info->notify_user_ns, current_uid()); + sig_i.si_uid = from_kuid_munged(info->notify_user_ns, + current_uid()); + /* + * We can't use kill_pid_info(), this signal should + * bypass check_kill_permission(). It is from kernel + * but si_fromuser() can't know this. + */ + task = pid_task(info->notify_owner, PIDTYPE_TGID); + if (task) + do_send_sig_info(info->notify.sigev_signo, + &sig_i, task, PIDTYPE_TGID); rcu_read_unlock(); - - kill_pid_info(info->notify.sigev_signo, - &sig_i, info->notify_owner); break; + } case SIGEV_THREAD: set_cookie(info->notify_cookie, NOTIFY_WOKENUP); netlink_sendskb(info->notify_sock, info->notify_cookie);