From d6bcd13297c2ab8b528df5a6898f994734849031 Mon Sep 17 00:00:00 2001 From: "deraadt@openbsd.org" Date: Wed, 26 Jun 2024 23:16:52 +0000 Subject: upstream: Instead of using possibly complex ssh_signal(), write all the parts of the grace_alarm_handler() using the exact things allowed by the signal-safe rules. This is a good rule of thumb: Handlers should be written to either set a global volatile sig_atomic_t inspected from outside, and/or directly perform only safe operations listed in our sigaction(2) manual page. ok djm markus OpenBSD-Commit-ID: 14168ae8368aab76e4ed79e17a667cb46f404ecd --- sshd-session.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'sshd-session.c') diff --git a/sshd-session.c b/sshd-session.c index 7ab1ea472..fe6ae7f32 100644 --- a/sshd-session.c +++ b/sshd-session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd-session.c,v 1.3 2024/06/06 17:15:25 djm Exp $ */ +/* $OpenBSD: sshd-session.c,v 1.4 2024/06/26 23:16:52 deraadt Exp $ */ /* * SSH2 implementation: * Privilege Separation: @@ -197,6 +197,8 @@ static void do_ssh2_kex(struct ssh *); /* * Signal handler for the alarm after the login grace period has expired. + * As usual, this may only take signal-safe actions, even though it is + * terminal. */ static void grace_alarm_handler(int sig) @@ -206,7 +208,14 @@ grace_alarm_handler(int sig) * keys command helpers or privsep children. */ if (getpgid(0) == getpid()) { - ssh_signal(SIGTERM, SIG_IGN); + struct sigaction sa; + + /* mask all other signals while in handler */ + memset(&sa, 0, sizeof(sa)); + sa.sa_handler = SIG_IGN; + sigfillset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + (void)sigaction(SIGTERM, &sa, NULL); kill(0, SIGTERM); } _exit(EXIT_LOGIN_GRACE); -- cgit v1.2.3