This change hardens against invalid calls to sigreturn, which is a very
useful gadget when compromising a process. The system call now verifies
it is a real return from a signal and aborts the process otherwise. This
should render such attacks impossible in threads that are not servicing a
signal, and infeasible in threads that are handling signals they are yet to
return from.
The kernel now keeps track for each thread how many signals are being
handled but haven't returned yet.
Each thread now has a random signal value. It is re-randomized when the
thread handles a signal and the current signal counter is zero. This is
xorred with the context address and used as canary on the stack during
signal dispatch, protecting the saved context on the stack. This works
mostly like the regular stack protector.
The kernel now keeps track of the stack pointer for a single handled
signal per thread. It doesn't seem worth it to keep track of multiple
handled signals, as more than one is rare. Note that each delivered signal
will not necessarily result in a sigreturn because it is valid for a thread
to longjmp(3) out of a signal handler to a valid jmp_buf.
The sigreturn system call will abort if either:
- It was not called from the kernel sigreturn page.
- The thread is not currently processing a signal.
- The thread is processing a single signal, and the stack pointer did not
have the expected value.
- It fails to read the context on the stack.
- The canary is wrong.
This properly avoids problems where the compiler is unaware that this is the
implementation and assumes it can rely on the implementation. For instance,
it might implement calloc using a call to calloc.
Restructure the code that wrongly assumed __STDC_HOSTED__ meant userspace.
tix-build recorded the owner and group as the user building the package,
rather than setting the owner and group to user 0 (root).
tix-install tried to chown extracted files as the owner and group in the
archive, rather than the current user. It also applied the current umask
rather than restoring the same permissions.
This system call has five arguments, of which one is a 64-bit uid_t, and
another is a 64-bit gid_t, which means that 7 registers are needed. However,
x86 only has 5 registers available for system calls. Wrap the system call
with a structure like with mmap(2).
