signals: don't abuse __flush_signals() in selinux_bprm_committed_creds()

selinux_bprm_committed_creds()->__flush_signals() is not right, we
shouldn't clear TIF_SIGPENDING unconditionally. There can be other
reasons for signal_pending(): freezing(), JOBCTL_PENDING_MASK, and
potentially more.

Also change this code to check fatal_signal_pending() rather than
SIGNAL_GROUP_EXIT, it looks a bit better.

Now we can kill __flush_signals() before it finds another buggy user.

Note: this code looks racy, we can flush a signal which was sent after
the task SID has been updated.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>

diff --git a/include/linux/sched.h b/include/linux/sched.h
index 8222ae40ecb0167d55f3b59027277d2a9e98d80d..4f84aade8b4da4ef2182c52f0c8186d573b809d0 100644 (file)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -2373,7 +2373,6 @@ extern void sched_dead(struct task_struct *p);
 
 extern void proc_caches_init(void);
 extern void flush_signals(struct task_struct *);
-extern void __flush_signals(struct task_struct *);
 extern void ignore_signals(struct task_struct *);
 extern void flush_signal_handlers(struct task_struct *, int force_default);
 extern int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info);

diff --git a/kernel/signal.c b/kernel/signal.c
index d51c5ddd855c84b9b65d4a7ef22eedcdff2eeafa..d4972504f2f18b119ec223d02a8736cabba9fb17 100644 (file)
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -414,21 +414,16 @@ void flush_sigqueue(struct sigpending *queue)
 }
 
 /*
- * Flush all pending signals for a task.
+ * Flush all pending signals for this kthread.
  */
-void __flush_signals(struct task_struct *t)
-{
-       clear_tsk_thread_flag(t, TIF_SIGPENDING);
-       flush_sigqueue(&t->pending);
-       flush_sigqueue(&t->signal->shared_pending);
-}
-
 void flush_signals(struct task_struct *t)
 {
        unsigned long flags;
 
        spin_lock_irqsave(&t->sighand->siglock, flags);
-       __flush_signals(t);
+       clear_tsk_thread_flag(t, TIF_SIGPENDING);
+       flush_sigqueue(&t->pending);
+       flush_sigqueue(&t->signal->shared_pending);
        spin_unlock_irqrestore(&t->sighand->siglock, flags);
 }
 

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 99c4a00cce4e264bb680111dae4c6ccb6d5b847a..8abbd548ece9267172361922f8275be0ee8f814a 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2416,10 +2416,12 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
                for (i = 0; i < 3; i++)
                        do_setitimer(i, &itimer, NULL);
                spin_lock_irq(&current->sighand->siglock);
-               if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
-                       __flush_signals(current);
+               if (!fatal_signal_pending(current)) {
+                       flush_sigqueue(&current->pending);
+                       flush_sigqueue(&current->signal->shared_pending);
                        flush_signal_handlers(current, 1);
                        sigemptyset(&current->blocked);
+                       recalc_sigpending();
                }
                spin_unlock_irq(&current->sighand->siglock);
        }