Skip to content

fix(tty): handle SendSignal error to prevent infinite loop #12362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GHOryy5 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix(tty): handle SendSignal error to prevent infinite loop #12362

GHOryy5 wants to merge 2 commits into from

Conversation

@GHOryy5
Copy link

@GHOryy5 GHOryy5 commented Dec 9, 2025

The Issue
In CheckChange, the code ignores the error from SendSignal and returns ERESTARTSYS.
In Linux, TIF_SIGPENDING is set unconditionally, ensuring the loop breaks.
In gVisor, if SendSignal fails, no signal is pending. Returning ERESTARTSYS causes the syscall to restart immediately, leading to an infinite loop (DoS).

The Fix
I added an error check. If SendSignal fails, we return EIO to abort the syscall safely.

@google-cla
Copy link

google-cla bot commented Dec 9, 2025

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@GHOryy5
fixup! remove double SendSignal call and handle error correctly
6cbaff1 
Handle signal queuing failure to prevent infinite loop.
@ayushr2
Copy link
Collaborator

ayushr2 commented Dec 23, 2025

@GHOryy5 could you sign the CLA?

In gVisor, if SendSignal fails, no signal is pending.

From what I can see, ProcessGroup.SendSignal() => tg.leader.sendSignalLocked() => Task.sendSignalTimerLocked(), which does enqueue the signal onto Task.pendingSignals.

Regarding TIF_SIGPENDING, we explicitly don't set it per this comment:

gvisor/pkg/sentry/kernel/tty.go

Lines 150 to 155 in 466fd4e

// Note that Linux also unconditionally sets TIF_SIGPENDING on current,
// but this isn't necessary in gVisor because the rationale given in
// https://github.com/torvalds/linux/commit/040b6362d58f "tty: fix
// leakage of -ERESTARTSYS to userland" doesn't apply: the sentry will
// handle -ERESTARTSYS in kernel.runApp.execute() even if the
// kernel.Task isn't interrupted.

This comment was first added in 0a41ea7. cc @nixprime @nlacasse

@nixprime
Copy link
Member

nixprime commented Dec 23, 2025

In Linux, TIF_SIGPENDING is set unconditionally, ensuring the loop breaks.

Can you clarify what loop you're referring to? AFAIU, in Linux, TIF_SIGPENDING is required for the syscall exit path to observe that -ERESTARTSYS is being returned, but (without signal delivery to a handler) it will restart the syscall, resulting in the same behavior as in gVisor. Do you have a repro for the problem you're observing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GHOryy5 @ayushr2 @nixprime