From c9b2d8016fca3b0545433e9d58a04c038b6fc921 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Sun, 3 Apr 2011 12:20:51 -0400 Subject: don't trust siginfo in rsyscall handler for some inexplicable reason, linux allows the sender of realtime signals to spoof its identity. permission checks for sending signals should limit the impact to same-user processes, but just to be safe, we avoid trusting the siginfo structure and instead simply examine the program state to see if we're in the middle of a legitimate rsyscall. --- src/thread/pthread_create.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/thread/pthread_create.c b/src/thread/pthread_create.c index d058a1ad..9df4f712 100644 --- a/src/thread/pthread_create.c +++ b/src/thread/pthread_create.c @@ -80,8 +80,7 @@ static void rsyscall_handler(int sig, siginfo_t *si, void *ctx) { struct pthread *self = __pthread_self(); - if (si->si_code > 0 || si->si_pid != self->pid || - rs.cnt == libc.threads_minus_1) return; + if (!rs.hold || rs.cnt == libc.threads_minus_1) return; /* Threads which have already decremented themselves from the * thread count must not increment rs.cnt or otherwise act. */ @@ -118,9 +117,9 @@ static int rsyscall(int nr, long a, long b, long c, long d, long e, long f) rs.arg[0] = a; rs.arg[1] = b; rs.arg[2] = c; rs.arg[3] = d; rs.arg[4] = d; rs.arg[5] = f; - rs.hold = 1; rs.err = 0; rs.cnt = 0; + rs.hold = 1; /* Dispatch signals until all threads respond */ for (i=libc.threads_minus_1; i; i--) -- cgit v1.2.3-70-g09d2