manu@netbsd.org (Emmanuel Dreyfus) writes:

> Generally speaking, in sigreturn, we take the saved machine state (as
> before signal delivery) from the user stack, and we restore it. Usually
> this machine state was saved by the kernel (sendsig), but the user
> process may tweak it.
> 
> Hence, we usually check that the user process does not try to gain
> improper privileges by modifying the signal context.

This is only a concern if the signal context contains state that the
user process would not normally be allowed to touch. The comment in
question:

/*
 * System call to cleanup state after a signal
 * has been taken.  Reset signal mask and
 * stack state from context left by sendsig (above).
 * Return to previous pc and psl as specified by
 * context left by sendsig. Check carefully to
 * make sure that the user has not modified the
 * psl to gain improper privileges or to cause
 * a machine fault.
 */

appears to have been copied verbatim from the i386 machdep.c. On the
i386, the "eflags" register, which is saved in struct sigcontext,
contains both user-accessable state such as overflow and carry flags,
and kernel-only state such as the privelege level and interrupt-enable
bits, so the i386 sigreturn() has to be careful to prevent sigreturn()
from setting those kernel-only fields.

> There is no such check in MIPS version of sigreturn, but the comment
> states that such checks should be done. Are such checks useless on MIPS?

The MIPS struct sigcontext does not appear to have such dangerous
state, with the possible exception of sc_fpc_eir, but that is neither
saved by sendsig() nor restored by sigreturn(). Thus, MIPS doesn't
need special checks.

        - Nathan