sighook: Don't forget to reset list->tail on the last sigpop()

tavianator · tavianator · commit 39ff273df97e · 2024-10-10T11:56:27.000-04:00
This was causing a UAF if we ever unregistered the last hook for a signal and then re-registered one. Fixes: 75b7f70 ("sighook: Make sigunhook() O(1)")
diff --git a/src/sighook.c b/src/sighook.c
@@ -291,6 +291,8 @@ static void sigpop(struct siglist *list, struct sighook *hook) {
 	rcu_update(hook->self, next);
 	if (next) {
 		next->self = hook->self;
+	} else {
+		list->tail = &list->head;
 	}
 }
 
diff --git a/tests/sighook.c b/tests/sighook.c
@@ -60,6 +60,13 @@ void check_sighook(void) {
 		return;
 	}
 
+	// Check that we can unregister and re-register a hook
+	sigunhook(hook);
+	hook = sighook(SIGALRM, alrm_hook, NULL, SH_CONTINUE);
+	if (!bfs_echeck(hook, "sighook(SIGALRM)")) {
+		return;
+	}
+
 	// Create a timer that sends SIGALRM every 100 microseconds
 	struct timespec ival = { .tv_nsec = 100 * 1000 };
 	struct timer *timer = xtimer_start(&ival);

Original file line number	Diff line number	Diff line change
`@@ -291,6 +291,8 @@ static void sigpop(struct siglist list, struct sighook hook) {`
`291`	`291`	`rcu_update(hook->self, next);`
`292`	`292`	`if (next) {`
`293`	`293`	`next->self = hook->self;`
	`294`	`+ } else {`
	`295`	`+ list->tail = &list->head;`
`294`	`296`	`}`
`295`	`297`	`}`
`296`	`298`