don't trust siginfo in rsyscall handler

for some inexplicable reason, linux allows the sender of realtime signals to spoof its identity. permission checks for sending signals should limit the impact to same-user processes, but just to be safe, we avoid trusting the siginfo structure and instead simply examine the program state to see if we're in the middle of a legitimate rsyscall.

don't trust siginfo in rsyscall handler
for some inexplicable reason, linux allows the sender of realtime signals to spoof its identity. permission checks for sending signals should limit the impact to same-user processes, but just to be safe, we avoid trusting the siginfo structure and instead simply examine the program state to see if we're in the middle of a legitimate rsyscall.
c9b2d801 · Rich Felker · 6e9ed66d · c9b2d801
隐藏空白更改
内联并排

Showing with 2 addition and 3 deletion

src/thread/pthread_create.c src/thread/pthread_create.c +2 -3

未找到文件。
--- a/src/thread/pthread_create.c
+++ b/src/thread/pthread_create.c
@@ -80,8 +80,7 @@ static void rsyscall_handler(int sig, siginfo_t *si, void *ctx)
 {
 	struct pthread *self = __pthread_self();

-	if (si->si_code > 0 || si->si_pid != self->pid ||
-		rs.cnt == libc.threads_minus_1) return;
+	if (!rs.hold || rs.cnt == libc.threads_minus_1) return;

 	/* Threads which have already decremented themselves from the
 	 * thread count must not increment rs.cnt or otherwise act. */
@@ -118,9 +117,9 @@ static int rsyscall(int nr, long a, long b, long c, long d, long e, long f)
 	rs.arg[0] = a; rs.arg[1] = b;
 	rs.arg[2] = c; rs.arg[3] = d;
 	rs.arg[4] = d; rs.arg[5] = f;
-	rs.hold = 1;
 	rs.err = 0;
 	rs.cnt = 0;
+	rs.hold = 1;

 	/* Dispatch signals until all threads respond */
 	for (i=libc.threads_minus_1; i; i--)