From 5bb3f0114bc6941506d432018487c35c3c19032d Mon Sep 17 00:00:00 2001 From: Ashlen Date: Wed, 15 Jul 2026 11:44:40 -0600 Subject: [PATCH 1/2] fix(emerg-shutdown): close fds for non-panic input devices The input-device enumeration loop opens a descriptor for every /dev/input/eventN but only stores it for devices that support the panic-key combo. The two early-continue paths -- non-key devices and keyboards lacking the panic keys -- returned without closing tmp_fd, leaking one descriptor per non-qualifying device. The leak is bounded and one-time (the loop runs once at startup, not in the poll loop) so impact is low, but the descriptors are held for the whole process lifetime and never reclaimed -- the daemon never execs, so O_CLOEXEC does not cover them. Close tmp_fd before both continues. --- usr/src/security-misc/emerg-shutdown.c#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/src/security-misc/emerg-shutdown.c#security-misc-shared b/usr/src/security-misc/emerg-shutdown.c#security-misc-shared index 509200b6..cc7f0bba 100644 --- a/usr/src/security-misc/emerg-shutdown.c#security-misc-shared +++ b/usr/src/security-misc/emerg-shutdown.c#security-misc-shared @@ -684,6 +684,7 @@ void hw_monitor(int argc, char **argv) { } if (!bitset_get(key_flags, EV_KEY)) { + close(tmp_fd); continue; } @@ -708,6 +709,7 @@ void hw_monitor(int argc, char **argv) { } } if (!supports_panic) { + close(tmp_fd); continue; } From 81096c4b8fd58b42c04c486e89b1ff016365f62a Mon Sep 17 00:00:00 2001 From: Ashlen Date: Wed, 15 Jul 2026 11:45:21 -0600 Subject: [PATCH 2/2] fix(emerg-shutdown): swallow SIGSYS in signal-ignore loop max_sig_num is 31, but the SIG_IGN loop used a strict "<" bound, so it covered signals 1..30 and never touched signal 31 (SIGSYS on Linux). The real-time loop starts at SIGRTMIN, leaving SIGSYS covered by neither loop, so it kept its default terminate disposition despite the "Swallow all signals that we can." intent. Use "<=" so the loop reaches 31; SIGSYS is ignorable, and the bound still stops before the glibc-reserved signals 32 and 33. This is a robustness fix, not a hardening gain: SIGKILL and SIGSTOP are unblockable anyway, so an actor able to send SIGSYS can already kill the monitor -- the value is surviving an internally generated SIGSYS (e.g. a bad syscall). --- usr/src/security-misc/emerg-shutdown.c#security-misc-shared | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/src/security-misc/emerg-shutdown.c#security-misc-shared b/usr/src/security-misc/emerg-shutdown.c#security-misc-shared index cc7f0bba..a8c5c7ee 100644 --- a/usr/src/security-misc/emerg-shutdown.c#security-misc-shared +++ b/usr/src/security-misc/emerg-shutdown.c#security-misc-shared @@ -1011,7 +1011,7 @@ void fifo_monitor(char **argv) { /* Swallow all signals that we can. */ sigact_swallow.sa_handler = SIG_IGN; - for (sig_idx = 1; sig_idx < max_sig_num; sig_idx++) { + for (sig_idx = 1; sig_idx <= max_sig_num; sig_idx++) { if (sig_idx == SIGSTOP) { continue; }