From: Andreas Fink <finkandreas@web.de>
To: libc-help <libc-help@sourceware.org>
Subject: segmentation fault with glibc-2.34
Date: Fri, 3 Dec 2021 14:38:05 +0100 [thread overview]
Message-ID: <20211203143805.04797c96@anfink-laptop> (raw)
[-- Attachment #1: Type: text/plain, Size: 410 bytes --]
Hello,
I have observed a crash in firefox with glibc-2.34 and have found a
small reproducer.
Is the sigsys signal handler valid? If yes, then there is a bug in
glibc-2.34.
If it is invalid to set the result in the context, I think the firefox
sandbox is doing dodgy things.
gcc test.c -lseccomp
strace ./a.out
This test reproducer does not segfault with 2.33 (it gives a
"Permission denied")
Cheers
Andreas
[-- Attachment #2: test.c --]
[-- Type: text/x-c++src, Size: 1660 bytes --]
#define _GNU_SOURCE
#include <err.h>
#include <errno.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/utsname.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <seccomp.h>
#include <signal.h>
#include <unistd.h>
#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX)
void sigsys_handler(int signum, siginfo_t *info, void *vctx) {
static int ctr = 0;
ucontext_t * ctx = vctx;
intptr_t ret_val = 0;
if (++ctr > 1)
ret_val = -13; // EACCESS
SECCOMP_RESULT(ctx) = (greg_t)ret_val;
}
static void sandbox(void)
{
/* allow all syscalls by default */
scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_ALLOW);
if (!seccomp_ctx)
err(1, "seccomp_init failed");
/* kill the process, if it tries to use "newfstatat" syscall */
if (seccomp_rule_add_exact(seccomp_ctx, SCMP_ACT_TRAP, seccomp_syscall_resolve_name("newfstatat"), 0)) {
perror("seccomp_rule_add_exact failed");
exit(1);
}
/* apply the composed filter */
if (seccomp_load(seccomp_ctx)) {
perror("seccomp_load failed");
exit(1);
}
/* release allocated context */
seccomp_release(seccomp_ctx);
}
int main(int argc, char** argv) {
struct sigaction sa, old_sa;
sa.sa_sigaction = sigsys_handler;
sa.sa_flags = SA_SIGINFO | SA_NODEFER;
sigaction(SIGSYS, &sa, &old_sa);
sandbox();
struct passwd *pwd = getpwuid(getuid());
if (pwd) {
printf("%s\n", pwd->pw_name);
} else {
perror("getpwuid failed\n");
}
return 0;
}
next reply other threads:[~2021-12-03 13:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 13:38 Andreas Fink [this message]
2021-12-03 14:55 ` Adhemerval Zanella
2021-12-03 15:02 ` Florian Weimer
2021-12-03 15:15 ` Adhemerval Zanella
2021-12-03 15:03 ` Adhemerval Zanella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211203143805.04797c96@anfink-laptop \
--to=finkandreas@web.de \
--cc=libc-help@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).