[PATCH] ppc64: fix incorrect signal handler argument

This fixes a bug in the ppc64 signal delivery code where the signal number argument to a signal handler can get corrupted before the handler is called. The specific scenario is that a process is in a blocking system call when two signals get generated for it, both of which have handlers. The signal code will stack up two signal frames on the process stack (assuming the mask for the first signal delivered doesn't block the second signal) and return to userspace to run the handler for the second signal. On return from that handler the first handler gets run with an incorrect signal number argument because we end up with regs->result still having a negative value (left over from when the system call was interrupted) when it should be zero. This patch sets it to zero when we set up the signal frame (in three places; for 64-bit processes, and for 32-bit processes for RT and non-RT signals). The way we handle signal delivery and signal handler return using the regs->result field in ppc64 is more complicated than it needs to be. In ppc32 I have already simplified it and eliminated use of the regs->result field. I am going to do the same in the ppc64 code, but I think this patch should go in for now to fix the bug. The patch also fixes a couple of places where we were unnecessarily and incorrectly truncating the regs->result value to 32 bits (sys32_sigreturn and sys32_rt_sigreturn return a long value, as all syscalls do, and if regs->result is negative we need those syscalls to return a negative value). Thanks to Maneesh Soni for identifying the specific circumstances under which this bug shows up.

[PATCH] ppc64: fix incorrect signal handler argument
This fixes a bug in the ppc64 signal delivery code where the signal number argument to a signal handler can get corrupted before the handler is called. The specific scenario is that a process is in a blocking system call when two signals get generated for it, both of which have handlers. The signal code will stack up two signal frames on the process stack (assuming the mask for the first signal delivered doesn't block the second signal) and return to userspace to run the handler for the second signal. On return from that handler the first handler gets run with an incorrect signal number argument because we end up with regs->result still having a negative value (left over from when the system call was interrupted) when it should be zero. This patch sets it to zero when we set up the signal frame (in three places; for 64-bit processes, and for 32-bit processes for RT and non-RT signals). The way we handle signal delivery and signal handler return using the regs->result field in ppc64 is more complicated than it needs to be. In ppc32 I have already simplified it and eliminated use of the regs->result field. I am going to do the same in the ppc64 code, but I think this patch should go in for now to fix the bug. The patch also fixes a couple of places where we were unnecessarily and incorrectly truncating the regs->result value to 32 bits (sys32_sigreturn and sys32_rt_sigreturn return a long value, as all syscalls do, and if regs->result is negative we need those syscalls to return a negative value). Thanks to Maneesh Soni for identifying the specific circumstances under which this bug shows up.
661c8e51 · Paul Mackerras · Linus Torvalds · 1f3c42cc · 661c8e51 · 661c8e51
Commit 661c8e51 authored May 01, 2004 by Paul Mackerras Committed by Linus Torvalds May 01, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

arch/ppc64/kernel/signal.c arch/ppc64/kernel/signal.c +1 -0

arch/ppc64/kernel/signal32.c arch/ppc64/kernel/signal32.c +2 -2

No files found.
--- a/arch/ppc64/kernel/signal.c
+++ b/arch/ppc64/kernel/signal.c
@@ -430,6 +430,7 @@ static void setup_rt_frame(int signr, struct k_sigaction *ka, siginfo_t *info,
 	regs->gpr[1] = newsp;
 	err |= get_user(regs->gpr[2], &funct_desc_ptr->toc);
 	regs->gpr[3] = signr;
+	regs->result = 0;
 	if (ka->sa.sa_flags & SA_SIGINFO) {
 		err |= get_user(regs->gpr[4], (unsigned long *)&frame->pinfo);
 		err |= get_user(regs->gpr[5], (unsigned long *)&frame->puc);

--- a/arch/ppc64/kernel/signal32.c
+++ b/arch/ppc64/kernel/signal32.c
@@ -676,6 +676,7 @@ static void handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
 	regs->nip = (unsigned long) ka->sa.sa_handler;
 	regs->link = (unsigned long) frame->tramp;
 	regs->trap = 0;
+	regs->result = 0;

 	return;

@@ -784,7 +785,6 @@ long sys32_rt_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
 	 */
       	sys32_sigaltstack((u32)(u64)&rt_sf->uc.uc_stack, 0, 0, 0, 0, 0, regs);

-	regs->result &= 0xFFFFFFFF;
 	ret = regs->result;

 	return ret;
@@ -841,6 +841,7 @@ static void handle_signal32(unsigned long sig, struct k_sigaction *ka,
 	regs->nip = (unsigned long) ka->sa.sa_handler;
 	regs->link = (unsigned long) frame->mctx.tramp;
 	regs->trap = 0;
+	regs->result = 0;

 	return;

@@ -885,7 +886,6 @@ long sys32_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
 	    || restore_user_regs(regs, sr, 1))
 		goto badframe;

-	regs->result &= 0xFFFFFFFF;
 	ret = regs->result;
 	return ret;