From: deraadt Date: Wed, 26 Jun 2024 23:16:52 +0000 (+0000) Subject: Instead of using possibly complex ssh_signal(), write all the parts X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=bdb58b7f667c65dbb5ce1d0ba69d4a4de2ed3f63;p=openbsd Instead of using possibly complex ssh_signal(), write all the parts of the grace_alarm_handler() using the exact things allowed by the signal-safe rules. This is a good rule of thumb: Handlers should be written to either set a global volatile sig_atomic_t inspected from outside, and/or directly perform only safe operations listed in our sigaction(2) manual page. ok djm markus --- diff --git a/usr.bin/ssh/sshd-session.c b/usr.bin/ssh/sshd-session.c index e75b4f80bca..54b7a8f71e6 100644 --- a/usr.bin/ssh/sshd-session.c +++ b/usr.bin/ssh/sshd-session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd-session.c,v 1.3 2024/06/06 17:15:25 djm Exp $ */ +/* $OpenBSD: sshd-session.c,v 1.4 2024/06/26 23:16:52 deraadt Exp $ */ /* * SSH2 implementation: * Privilege Separation: @@ -176,6 +176,8 @@ static void do_ssh2_kex(struct ssh *); /* * Signal handler for the alarm after the login grace period has expired. + * As usual, this may only take signal-safe actions, even though it is + * terminal. */ static void grace_alarm_handler(int sig) @@ -185,7 +187,14 @@ grace_alarm_handler(int sig) * keys command helpers or privsep children. */ if (getpgid(0) == getpid()) { - ssh_signal(SIGTERM, SIG_IGN); + struct sigaction sa; + + /* mask all other signals while in handler */ + memset(&sa, 0, sizeof(sa)); + sa.sa_handler = SIG_IGN; + sigfillset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + (void)sigaction(SIGTERM, &sa, NULL); kill(0, SIGTERM); } _exit(EXIT_LOGIN_GRACE);