sys_rt_sigaction: fix sigset copying
In practice, we always copy as many bytes as syscall param says
(8, or 16 on mips). However, malicious program can call sigaction
with wrong sigset size. Such syscall will result in EINVAL,
but we (strace) end up copying 128 bytes (sizeof(sigset_t)),
which copyes some garbage from stack after struct sigaction.
Now we always copy NSIG / 8 bytes (which is 8 bytes, or 16 on mips).
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
diff --git a/signal.c b/signal.c
index 7f8ed52..66ce613 100644
--- a/signal.c
+++ b/signal.c
@@ -1331,23 +1331,18 @@
tprints("{SIG_IGN, ");
else
tprintf("{%#lx, ", (long) sa.__sa_handler);
- /* Questionable code below.
- * Kernel won't handle sys_rt_sigaction
- * with wrong sigset size (just returns EINVAL)
- * therefore tcp->u_arg[3(4)] _must_ be NSIG / 8 here,
- * and we always use smaller memcpy. */
+ /*
+ * Sigset size is in tcp->u_arg[4] (SPARC)
+ * or in tcp->u_arg[3] (all other),
+ * but kernel won't handle sys_rt_sigaction
+ * with wrong sigset size (just returns EINVAL instead).
+ * We just fetch the right size, which is NSIG / 8.
+ */
sigemptyset(&sigset);
-#if defined(SPARC) || defined(SPARC64)
- if (tcp->u_arg[4] <= sizeof(sigset))
- memcpy(&sigset, &sa.sa_mask, tcp->u_arg[4]);
-#else
- if (tcp->u_arg[3] <= sizeof(sigset))
- memcpy(&sigset, &sa.sa_mask, tcp->u_arg[3]);
-#endif
- else
- memcpy(&sigset, &sa.sa_mask, sizeof(sigset));
- printsigmask(&sigset, 1);
+ memcpy(&sigset, &sa.sa_mask, NSIG / 8);
+ printsigmask(&sigset, /*rt:*/ 1);
tprints(", ");
+
printflags(sigact_flags, sa.sa_flags, "SA_???");
#ifdef SA_RESTORER
if (sa.sa_flags & SA_RESTORER)