Instead of using possibly complex ssh_signal(), write all the parts

of the grace_alarm_handler() using the exact things allowed by the
signal-safe rules.  This is a good rule of thumb: Handlers should
be written to either set a global volatile sig_atomic_t inspected
from outside, and/or directly perform only safe operations listed
in our sigaction(2) manual page.
ok djm markus

diff --git a/usr.bin/ssh/sshd-session.c b/usr.bin/ssh/sshd-session.c
index e75b4f8..54b7a8f 100644 (file)
--- a/usr.bin/ssh/sshd-session.c
+++ b/usr.bin/ssh/sshd-session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd-session.c,v 1.3 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: sshd-session.c,v 1.4 2024/06/26 23:16:52 deraadt Exp $ */
 /*
  * SSH2 implementation:
  * Privilege Separation:
@@ -176,6 +176,8 @@ static void do_ssh2_kex(struct ssh *);
 
 /*
  * Signal handler for the alarm after the login grace period has expired.
+ * As usual, this may only take signal-safe actions, even though it is
+ * terminal.
  */
 static void
 grace_alarm_handler(int sig)
@@ -185,7 +187,14 @@ grace_alarm_handler(int sig)
         * keys command helpers or privsep children.
         */
        if (getpgid(0) == getpid()) {
-               ssh_signal(SIGTERM, SIG_IGN);
+               struct sigaction sa;
+
+               /* mask all other signals while in handler */
+               memset(&sa, 0, sizeof(sa));
+               sa.sa_handler = SIG_IGN;
+               sigfillset(&sa.sa_mask);
+               sa.sa_flags = SA_RESTART;
+               (void)sigaction(SIGTERM, &sa, NULL);
                kill(0, SIGTERM);
        }
        _exit(EXIT_LOGIN_GRACE);