From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.2 required=5.0 tests=MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SUBJ_OBFU_PUNCT_FEW autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 18903 invoked from network); 31 Aug 2020 01:07:27 -0000
Received: from mother.openwall.net (195.42.179.200)
  by inbox.vuxu.org with ESMTPUTF8; 31 Aug 2020 01:07:27 -0000
Received: (qmail 22233 invoked by uid 550); 31 Aug 2020 01:07:24 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 22215 invoked from network); 31 Aug 2020 01:07:23 -0000
Date: Sun, 30 Aug 2020 21:07:10 -0400
From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Cc: Theodore Dubois <tblodt@icloud.com>
Message-ID: <20200831010710.GH3265@brightrain.aerifal.cx>
References: <3C00D395-838B-4DB0-99FC-3947F1BCF054@icloud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3C00D395-838B-4DB0-99FC-3947F1BCF054@icloud.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [musl] i386 __set_thread_area will crash if the syscall fails

On Sun, Aug 30, 2020 at 05:34:09PM -0700, Theodore Dubois wrote:
> Found a (small) bug in this file:
> https://git.musl-libc.org/cgit/musl/tree/src/thread/i386/__set_thread_area..s
> 
> If the syscall fails, the branch on line 20 is taken and %eax will
> be a small negative number. Then "mov $123,%al" will make syscall
> 0xffffff7b instead of 0x7b, since overwriting %al only overwrites
> the low byte of %eax. So the modify_ldt fallback has apparently
> never worked.

Thanks! Indeed, systems where the first syscall fails are outside the
actually-supported version range (before 2.6) so it's likely that this
was never actually tested. Nowadays SECCOMP_FILTER makes it easy to
test, so we should actually try to test some of these things. Have you
checked if it works adding xor %eax,%eax before the byte mov or
changing it to a 32-bit mov?

> Tangentially, I'm not sure why this file has so many hardcoded magic
> numbers and no comments to explain what they are.

Really it shouldn't even be external asm anymore. I'm trying to move
as much external asm as possible to inline asm written in C, and this
could be written entirely with __syscall() after #define
SYSCALL_NO_TLS (recently added) and all the structures setup
explicitly in C. I'll take a stab at doing that after fixing the bug.

Rich