From: Oleg Nesterov <oleg@redhat.com>
Date: Thu, 23 Jun 2011 12:39:24 -0400
Subject: [misc] signal: fix kill signal spoofing issue
Message-id: <20110623123924.GA9393@redhat.com>
Patchwork-id: 36992
O-Subject: [RHEL5 PATCH] bz690031: kernel signal spoofing issue
Bugzilla: 690031
CVE: CVE-2011-1182
RH-Acked-by: Jerome Marchand <jmarchan@redhat.com>
RH-Acked-by: Frantisek Hrbata <fhrbata@redhat.com>
RH-Acked-by: Anton Arapov <Anton@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=690031

Upstream commits da48524e and 243b422a.

Don't allow to spoof tkill/tgkill.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>

diff --git a/kernel/signal.c b/kernel/signal.c
index 654dd2c..c83dcfc 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2143,9 +2143,11 @@ sys_rt_sigqueueinfo(int pid, int sig, siginfo_t __user *uinfo)
 	if (copy_from_user(&info, uinfo, sizeof(siginfo_t)))
 		return -EFAULT;
 
-	/* Not even root can pretend to send signals from the kernel.
-	   Nor can they impersonate a kill(), which adds source info.  */
-	if (info.si_code >= 0)
+	/*
+	 * Not even root can pretend to send signals from the kernel.
+	 * Nor can they impersonate a kill()/tkill(), which adds source info.
+	 */
+	if (info.si_code >= 0 || info.si_code == SI_TKILL)
 		return -EPERM;
 	info.si_signo = sig;