From: Alexander Monakov <amonakov@ispras.ru>
To: musl@lists.openwall.com
Subject: [PATCH] faccessat: fix error code on setreXid failure
Date: Tue, 30 Jan 2018 23:32:37 +0300 [thread overview]
Message-ID: <20180130203237.4580-1-amonakov@ispras.ru> (raw)
Commit 316d6741b68b485205d7233c98bd6c795bb80370 changed one use of
SYS_exit in 'checker' without changing another just three lines above,
and then commit f9fb20b42da0e755d93de229a5a737d79a0e8f60 changed the
meaning of return value, causing EACCES to be reported instead of EBUSY
if preparatory setregid/setreuid fail.
---
This is the minimal fix for the issue, but it appears there's another:
collecting checker's exit code and reaping the zombie is implemented as
int status;
do {
__syscall(SYS_wait4, pid, &status, __WCLONE, 0);
} while (!WIFEXITED(status) && !WIFSIGNALED(status));
but I don't understand why this retry loop is required and correct:
- if another thread won the race to collect the zombie by doing something
like waitpid(-1, 0, __WALL), it fails to check syscall's return value and
uses uninitialized 'status', possibly causing an infinite loop or OOB access
in the parent;
- the code seems to assume that the zombie will not be auto-collected even if
SIGCHLD disposition is set to SIG_IGN; this sounds logical, but not explicitly
documented as far as I can tell;
- if the two problems above don't arise, I don't see how the test in while ()
condition can fail; we have signals blocked, so waitpid can only return when
the child no longer exists.
Plus, using CLONE_VM | CLONE_VFORK would help conserve resources.
Alexander
src/unistd/faccessat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/unistd/faccessat.c b/src/unistd/faccessat.c
index 33478959..954cbdb4 100644
--- a/src/unistd/faccessat.c
+++ b/src/unistd/faccessat.c
@@ -25,7 +25,7 @@ static int checker(void *p)
int i;
if (__syscall(SYS_setregid, __syscall(SYS_getegid), -1)
|| __syscall(SYS_setreuid, __syscall(SYS_geteuid), -1))
- __syscall(SYS_exit, 1);
+ return sizeof errors/sizeof *errors - 1;
ret = __syscall(SYS_faccessat, c->fd, c->filename, c->amode, 0);
for (i=0; i < sizeof errors/sizeof *errors - 1 && ret!=errors[i]; i++);
return i;
--
2.11.0
next reply other threads:[~2018-01-30 20:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-30 20:32 Alexander Monakov [this message]
2018-01-30 21:33 ` Rich Felker
2018-01-30 21:51 ` Alexander Monakov
2018-01-30 22:07 ` Rich Felker
2018-01-30 22:20 ` Alexander Monakov
2018-02-01 3:19 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180130203237.4580-1-amonakov@ispras.ru \
--to=amonakov@ispras.ru \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).