From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752808AbbCKW0i (ORCPT <rfc822;w@1wt.eu>);
	Wed, 11 Mar 2015 18:26:38 -0400
Received: from mail-la0-f43.google.com ([209.85.215.43]:33809 "EHLO
	mail-la0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751700AbbCKW0f (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 11 Mar 2015 18:26:35 -0400
MIME-Version: 1.0
In-Reply-To: <21760.46870.338764.599348@gargle.gargle.HOWL>
References: <20150311174204.GA5712@pc.thejh.net> <21760.46870.338764.599348@gargle.gargle.HOWL>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 11 Mar 2015 15:26:13 -0700
Message-ID: <CALCETrXy=ftik5U7nD9D+u8z-jLBOG_xX20QTDoP-CkV3=U2Vg@mail.gmail.com>
Subject: Re: [PATCH] Don't allow blocking of signals using sigreturn.
To: Mikael Pettersson <mikpelinux@gmail.com>
Cc: Jann Horn <jann@thejh.net>, Linux API <linux-api@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Russell King <linux@arm.linux.org.uk>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, X86 ML <x86@kernel.org>,
        Jeff Dike <jdike@addtoit.com>, Richard Weinberger <richard@nod.at>,
        Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 11, 2015 at 2:43 PM, Mikael Pettersson <mikpelinux@gmail.com> wrote:
> Jann Horn writes:
>  > Or should I throw this patch away and write a patch
>  > for the prctl() manpage instead that documents that
>  > being able to call sigreturn() implies being able to
>  > effectively call sigprocmask(), at least on some
>  > architectures like X86?
>
> Well, that is the semantics of sigreturn().  It is essentially
> setcontext() [which includes the actions of sigprocmask()], but
> with restrictions on parameter placement (at least on x86).
>
> You could introduce some setting to restrict that aspect for
> seccomp processes, but you can't change this for normal processes
> without breaking things.

Which leads to the interesting question: does anyone ever call
sigreturn with a different signal mask than the kernel put there
during signal delivery or, even more strangely, with a totally made up
context?  I suspect that the former does happen, even if the latter
may be rare or completely implausible.

I certainly have code that modifies GPRs in the context prior to sigreturn.

--Andy

-- 
Andy Lutomirski
AMA Capital Management, LLC