signal handling: virtualization, kernel-to-user info leak

John Reiser jreiser at BitWagon.com
Tue Feb 7 16:51:03 UTC 2006


My user-mode virtualization of signal handling stopped working in FC5.
I figured out why; the details, and a kernel patch, are in:
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180351

The dwarf2 unwind info in the vDSO for rt_sigframe, as well as
the kernel rt_sigreturn() itself, takes a shortcut by referencing the
struct ucontext directly, instead of via the puc pointer.  This
means that a thread kill to cancel a pthread_cond_wait causes a
SIGSEGV when unwinding through the virtualized rt_sigframe.
(The virtualized frame copies the four scalars {pretcode, sig,
pinfo, puc} while leaving the full structs behind.)
Returning from virtualized signal handler also gets a SIGSEGV
because the kernel uses the ucontext that it "knows" is there,
instead of accessing it indirectly through the pointer puc.

Somewhat related, the kernel leaks ["garbage"] data from the
kernel stack when placing the struct siginfo onto the user stack.
In arch/i386/kernel/signal.c, subroutine do_signal() declares
an on-stack automatic local
    siginfo_t info;
The routine fills in portions without clearing the whole struct,
then copies the entire struct onto the user stack.
It's not cheap to clear (the internal union is
116 bytes long, and uses only about 28 bytes or so),
but isn't this an information security issue?

-- 




More information about the fedora-devel-list mailing list