SIGSTOP can be ignored

Originator:mackyle
Number:rdar://6851193 Date Originated:03-May-2009 11:27 AM
Status:Open Resolved:
Product:Mac OS X Product Version:10.5.6/9G55
Classification:Security Reproducible:Always
 
SUMMARY:

The SIGSTOP signal (along with SIGKILL) are the only two signals that "cannot be caught or ignored".  Unfortunately that's not true in regards to SIGSTOP.  The included example program arranges to ignore SIGSTOP.  Since that is not supposed to be possible, this represents a potential security hole.


STEPS TO REPRODUCE:

1. Save the following source code as ignorestop.c (it's also attached as a file to this report):

  #include <stddef.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <signal.h>
  #include <time.h>
  #include <unistd.h>
  
  int main()
  {
    int c;
    sigset_t sigs;
    pthread_t ignored;
    sigemptyset(&sigs);
    sigaddset(&sigs, SIGCONT);
    sigprocmask(SIG_BLOCK, &sigs, NULL);
    signal(SIGCHLD, SIG_IGN);
    if (fork() == 0) {
      struct timespec delay = {0, 125000000};
      nanosleep(&delay, NULL);
      kill(getppid(), SIGSTOP);
      kill(getppid(), SIGCONT);
      exit(0);
    }
    sigwait(&sigs, &c);
    for (c=0;;) {
      printf("Ignoring SIGSTOP now %d\n", ++c);
      sleep(1);
    }
    return 0;
  }

2. Compile the above ignorestop.c file at a shell prompt (assumes developer tools are installed for gcc compiler) like so:

  gcc -o ignorestop ignorestop.c

3. Now run it and attempt to stop it from a shell prompt like this:

  ./ignorestop& sleep 2; killall -STOP ignorestop

4. Notice how even after the 2 second sleep delay, the process continues to run outputting a message every second.


EXPECTED RESULTS:

The expectation is that killing a process with -STOP will stop it as the system is supposed to guarantee that neither SIGSTOP nor SIGKILL can ever be ignored or caught.  Other systems (notably Linux) do not suffer from this bug.  (NOTE:  You cannot verify whether or not a job is stopped using the ps command as it does not properly report stopped jobs.  See rdar://6851143 )


REGRESSION:

SIGSTOP can also be ignored with the above technique on 10.4.11 as well -- did not test any prior versions of Mac OS X.


NOTES:

Works correctly on Linux (SIGSTOP cannot be ignored).

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!