44 lines
1.3 KiB
Diff
44 lines
1.3 KiB
Diff
|
From 6df4a48ff6b31bedc2d0216b84dbe66cf9ca5e23 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Alexander Naumov <alexander_naumov@opensuse.org>
|
||
|
|
Date: Wed, 1 Feb 2023 13:47:57 +0200
|
||
|
|
Subject: [PATCH] Missing signal sending permission check on failed query
|
||
|
|
messages
|
||
|
|
|
||
|
|
When run as setuid root, one can send a query message to the
|
||
|
|
privileged screen process via its unix socket in order to force
|
||
|
|
it to send SIGHUP to a PID that can be freely specified in the
|
||
|
|
query packet.
|
||
|
|
Processes that do not explicitly handle SIGHUP will simply terminate
|
||
|
|
|
||
|
|
Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org>
|
||
|
|
---
|
||
|
|
socket.c | 9 +++++++--
|
||
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/socket.c b/socket.c
|
||
|
|
index bb68b35..0a575cf 100644
|
||
|
|
--- a/socket.c
|
||
|
|
+++ b/socket.c
|
||
|
|
@@ -1285,11 +1285,16 @@ ReceiveMsg()
|
||
|
|
else
|
||
|
|
queryflag = -1;
|
||
|
|
|
||
|
|
- Kill(m.m.command.apid,
|
||
|
|
+ if (CheckPid(m.m.command.apid)) {
|
||
|
|
+ Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
|
||
|
|
+ }
|
||
|
|
+ else {
|
||
|
|
+ Kill(m.m.command.apid,
|
||
|
|
(queryflag >= 0)
|
||
|
|
? SIGCONT
|
||
|
|
: SIG_BYE); /* Send SIG_BYE if an error happened */
|
||
|
|
- queryflag = -1;
|
||
|
|
+ queryflag = -1;
|
||
|
|
+ }
|
||
|
|
}
|
||
|
|
break;
|
||
|
|
case MSG_COMMAND:
|
||
|
|
--
|
||
|
|
2.27.0
|
||
|
|
|