From: Oleg Nesterov <oleg@redhat.com> Date: Thu, 23 Jun 2011 12:39:24 -0400 Subject: [misc] signal: fix kill signal spoofing issue Message-id: <20110623123924.GA9393@redhat.com> Patchwork-id: 36992 O-Subject: [RHEL5 PATCH] bz690031: kernel signal spoofing issue Bugzilla: 690031 CVE: CVE-2011-1182 RH-Acked-by: Jerome Marchand <jmarchan@redhat.com> RH-Acked-by: Frantisek Hrbata <fhrbata@redhat.com> RH-Acked-by: Anton Arapov <Anton@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=690031 Upstream commits da48524e and 243b422a. Don't allow to spoof tkill/tgkill. Signed-off-by: Oleg Nesterov <oleg@redhat.com> diff --git a/kernel/signal.c b/kernel/signal.c index 654dd2c..c83dcfc 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -2143,9 +2143,11 @@ sys_rt_sigqueueinfo(int pid, int sig, siginfo_t __user *uinfo) if (copy_from_user(&info, uinfo, sizeof(siginfo_t))) return -EFAULT; - /* Not even root can pretend to send signals from the kernel. - Nor can they impersonate a kill(), which adds source info. */ - if (info.si_code >= 0) + /* + * Not even root can pretend to send signals from the kernel. + * Nor can they impersonate a kill()/tkill(), which adds source info. + */ + if (info.si_code >= 0 || info.si_code == SI_TKILL) return -EPERM; info.si_signo = sig;