From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.2 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SUBJ_OBFU_PUNCT_FEW autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 29945 invoked from network); 31 Aug 2020 02:51:56 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 31 Aug 2020 02:51:56 -0000 Received: (qmail 30702 invoked by uid 550); 31 Aug 2020 02:51:51 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 30684 invoked from network); 31 Aug 2020 02:51:50 -0000 Date: Sun, 30 Aug 2020 22:51:38 -0400 From: Rich Felker To: musl@lists.openwall.com Cc: Theodore Dubois Message-ID: <20200831025138.GK3265@brightrain.aerifal.cx> References: <3C00D395-838B-4DB0-99FC-3947F1BCF054@icloud.com> <20200831010710.GH3265@brightrain.aerifal.cx> <20200831014145.GI3265@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="z4+8/lEcDcG5Ke9S" Content-Disposition: inline In-Reply-To: <20200831014145.GI3265@brightrain.aerifal.cx> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] i386 __set_thread_area will crash if the syscall fails --z4+8/lEcDcG5Ke9S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Aug 30, 2020 at 09:41:45PM -0400, Rich Felker wrote: > On Sun, Aug 30, 2020 at 09:07:10PM -0400, Rich Felker wrote: > > On Sun, Aug 30, 2020 at 05:34:09PM -0700, Theodore Dubois wrote: > > > Found a (small) bug in this file: > > > https://git.musl-libc.org/cgit/musl/tree/src/thread/i386/__set_thread_area..s > > > > > > If the syscall fails, the branch on line 20 is taken and %eax will > > > be a small negative number. Then "mov $123,%al" will make syscall > > > 0xffffff7b instead of 0x7b, since overwriting %al only overwrites > > > the low byte of %eax. So the modify_ldt fallback has apparently > > > never worked. > > > > Thanks! Indeed, systems where the first syscall fails are outside the > > actually-supported version range (before 2.6) so it's likely that this > > was never actually tested. Nowadays SECCOMP_FILTER makes it easy to > > test, so we should actually try to test some of these things. Have you > > checked if it works adding xor %eax,%eax before the byte mov or > > changing it to a 32-bit mov? > > OK, I just confirmed it works after this change. I'll push a fix soon > along with a bunch of other pending commits. Thanks again for the > report. The attached should be the equivalent in C, but it's somewhat larger. Somewhat indifferent on replacing it. Rich --z4+8/lEcDcG5Ke9S Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="__set_thread_area.c" #define SYSCALL_NO_TLS 1 #include #include "syscall.h" struct user_desc { uint32_t entry_number; uint32_t base_addr; uint32_t limit; uint32_t flags; }; static int entry_number = -1; int __set_thread_area_2(void *p) { struct user_desc desc = { entry_number, (uintptr_t)p, 0xfffff, 0x51 }; int r = __syscall(SYS_set_thread_area, &desc); if (!r) { entry_number = desc.entry_number; __asm__ __volatile__ ("mov %0,%%gs" : : "r"(3+8*desc.entry_number)); return 0; } desc.entry_number = 0; r = __syscall(SYS_modify_ldt, 1, &desc, 16); if (!r) { __asm__ __volatile__ ("mov %0,%%gs" : : "r"(7)); return 1; } return r; } --z4+8/lEcDcG5Ke9S--