From owner-freebsd-bugs  Sat Aug 21  9:52: 7 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id C19CF15300
	for <freebsd-bugs@FreeBSD.org>; Sat, 21 Aug 1999 09:52:00 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id JAA30885;
	Sat, 21 Aug 1999 09:50:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by hub.freebsd.org (Postfix) with SMTP
	id 5B5C014F64; Sat, 21 Aug 1999 09:41:27 -0700 (PDT)
	(envelope-from dwmalone@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa99489@salmon>; 21 Aug 1999 17:40:47 +0100 (BST)
Message-Id: <199908211740.aa28643@walton.maths.tcd.ie>
Date: Sat, 21 Aug 1999 17:40:47 +0100 (BST)
From: dwmalone@maths.tcd.ie
To: FreeBSD-gnats-submit@freebsd.org
Cc: cracauer@freebsd.org, bde@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/13293: You can catch SIGKILL and SIGSTOP in 4.0.
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         13293
>Category:       kern
>Synopsis:       You can catch SIGKILL and SIGSTOP in 4.0.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 21 09:50:00 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator:     David Malone
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
School of Mathematics, Trinity College, Dublin.
>Environment:

Any 4.0 machine with a version of kern_sig.c later than 1.57.

>Description:

Sigaction is supposed to check if you change the handler of SIGKILL
or SIGSTOP to anything but SIG_DFL.  In revision 1.57 one instance
too many of sa->sa_handler got replaced by ps->ps_sigact[signum].
Resultingly it checks if the current handler is SIG_DFL instead of
the new handler being SIG_DFL. This means you can create un-killable
un-stoppable processes.

>How-To-Repeat:

The following program is unkillable.

#include <stdio.h>
#include <sys/types.h>
#include <signal.h>

void sighand(int sig)
{
        printf("Caught signal %d\n",sig);
}

int main(int argc,char **argv)
{
        int i;

        for( i = 0 ; i < 32 ; i++ )
                signal(i,sighand);

        while(1);

        exit(0);
}


>Fix:
	
--- kern_sig.c	1999/08/16 18:13:38	1.60
+++ kern_sig.c	1999/08/21 16:06:30
@@ -155,11 +155,11 @@
 	if (uap->nsa) {
 		if ((error = copyin((caddr_t)uap->nsa, (caddr_t)sa,
 		    sizeof (vec))))
 			return (error);
 		if ((signum == SIGKILL || signum == SIGSTOP) &&
-		    ps->ps_sigact[signum] != SIG_DFL)
+		    sa->sa_handler != SIG_DFL)
 			return (EINVAL);
 		setsigvec(p, signum, sa);
 	}
 	return (0);
 }

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message