Please correct me if i'm wrong but it seems to me that i've stumbled on
really BIG security hole in the signal handling code.
The problem IMO is that the signal handling code stores a processor context
on the user-mode stack frame which is active while
the signal handler is running. Then sys_sigreturn restores back the context
from user mode stack...
Suppose the signal handler modifies this context frame for example by
storing into the PC slot address of the panic routine
then when handler will exit panic will be called with obvious results.
Please CC your comments to me directly as i'm not subscibed to this list
Vadim Lebedev
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/