From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.2 required=5.0 tests=MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SUBJ_OBFU_PUNCT_FEW autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 22569 invoked from network); 31 Aug 2020 01:42:00 -0000
Received: from mother.openwall.net (195.42.179.200)
  by inbox.vuxu.org with ESMTPUTF8; 31 Aug 2020 01:42:00 -0000
Received: (qmail 32146 invoked by uid 550); 31 Aug 2020 01:41:58 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 32128 invoked from network); 31 Aug 2020 01:41:57 -0000
Date: Sun, 30 Aug 2020 21:41:45 -0400
From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Cc: Theodore Dubois <tblodt@icloud.com>
Message-ID: <20200831014145.GI3265@brightrain.aerifal.cx>
References: <3C00D395-838B-4DB0-99FC-3947F1BCF054@icloud.com>
 <20200831010710.GH3265@brightrain.aerifal.cx>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200831010710.GH3265@brightrain.aerifal.cx>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [musl] i386 __set_thread_area will crash if the syscall fails

On Sun, Aug 30, 2020 at 09:07:10PM -0400, Rich Felker wrote:
> On Sun, Aug 30, 2020 at 05:34:09PM -0700, Theodore Dubois wrote:
> > Found a (small) bug in this file:
> > https://git.musl-libc.org/cgit/musl/tree/src/thread/i386/__set_thread_area..s
> > 
> > If the syscall fails, the branch on line 20 is taken and %eax will
> > be a small negative number. Then "mov $123,%al" will make syscall
> > 0xffffff7b instead of 0x7b, since overwriting %al only overwrites
> > the low byte of %eax. So the modify_ldt fallback has apparently
> > never worked.
> 
> Thanks! Indeed, systems where the first syscall fails are outside the
> actually-supported version range (before 2.6) so it's likely that this
> was never actually tested. Nowadays SECCOMP_FILTER makes it easy to
> test, so we should actually try to test some of these things. Have you
> checked if it works adding xor %eax,%eax before the byte mov or
> changing it to a 32-bit mov?

OK, I just confirmed it works after this change. I'll push a fix soon
along with a bunch of other pending commits. Thanks again for the
report.

Rich