[Bug libc/27709] New: arm: FAIL: debug/tst-longjmp_chk2

[Bug libc/27709] New: arm: FAIL: debug/tst-longjmp_chk2

[nsz at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27709

            Bug ID: 27709
           Summary: arm: FAIL: debug/tst-longjmp_chk2
           Product: glibc
           Version: 2.33
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: nsz at gcc dot gnu.org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

on arm i see

FAIL: debug/tst-longjmp_chk2

$ cat debug/tst-longjmp_chk2.out
not on alternate stack
 in signal handler
 on alternate stack
Didn't expect signal from child: got `Aborted'

which seems to happen if sp in setjmp is the bottom of the
sigaltstack and longjmp is called on the sigaltstack. i.e. the
following code crashes when compiled with -D_FORTIFIED_SOURCE=1


#include <signal.h>
#include <setjmp.h>

jmp_buf buf;

void handler (int sig)
{
  longjmp (buf, 1);
}

void setup_sigaltstack (char *p, size_t n)
{
  stack_t ss;
  struct sigaction sa;
  ss.ss_sp = p;
  ss.ss_size = n;
  ss.ss_flags = 0;
  sigaltstack (&ss, NULL);
  sigemptyset (&sa.sa_mask);
  sa.sa_handler = handler;
  sa.sa_flags = SA_ONSTACK;
  sigaction (SIGUSR1, &sa, NULL);
}

int main ()
{
  char alt[10000];
  setup_sigaltstack (alt, sizeof alt);
  if (setjmp (buf) == 0)
    raise (SIGUSR1);
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/27709] arm: FAIL: debug/tst-longjmp_chk2

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27709

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8d4d77f6c848538cfb9e5ad0a14825e7ae4a1657

commit 8d4d77f6c848538cfb9e5ad0a14825e7ae4a1657
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Wed Apr 7 12:45:53 2021 +0100

    arm: Fix an incorrect check in ____longjmp_chk [BZ #27709]

    An incorrect check in __longjmp_chk could fail on valid code causing

    FAIL: debug/tst-longjmp_chk2

    The original check was

      altstack_sp + altstack_size - setjmp_sp > altstack_size

    i.e. sp at setjmp was outside of the altstack range. Here we know that
    longjmp is called from a signal handler on the altstack (SS_ONSTACK),
    and that it jumps in the wrong direction (sp decreases), so the check
    wants to ensure the jump goes to another stack.

    The check is wrong when altstack_sp == setjmp_sp which can happen
    when the altstack is a local buffer in the function that calls setjmp,
    so the patch allows == too. This fixes bug 27709.

    Note that the generic __longjmp_chk check seems to be different.
    (it checks if longjmp was on the altstack but does not check setjmp,
    so it would not catch incorrect longjmp use within the signal handler).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/27709] arm: FAIL: debug/tst-longjmp_chk2

[nsz at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27709

Szabolcs Nagy <nsz at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.34
             Status|NEW                         |RESOLVED

--- Comment #2 from Szabolcs Nagy <nsz at gcc dot gnu.org> ---
Fixed for 2.34.

-- 
You are receiving this mail because:
You are on the CC list for the bug.