From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <finkandreas@web.de>
Received: from mout.web.de (mout.web.de [212.227.15.3])
 by sourceware.org (Postfix) with ESMTPS id B9C0F3858D28
 for <libc-help@sourceware.org>; Fri,  3 Dec 2021 13:38:08 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org B9C0F3858D28
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from anfink-laptop ([213.55.224.242]) by smtp.web.de (mrweb006
 [213.165.67.108]) with ESMTPSA (Nemesis) id 1MPKB7-1nELrv3baf-00PVg3 for
 <libc-help@sourceware.org>; Fri, 03 Dec 2021 14:38:07 +0100
Date: Fri, 3 Dec 2021 14:38:05 +0100
From: Andreas Fink <finkandreas@web.de>
To: libc-help <libc-help@sourceware.org>
Subject: segmentation fault with glibc-2.34
Message-ID: <20211203143805.04797c96@anfink-laptop>
X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="MP_/qvtixBNO7LPmTKLwaFyPhyQ"
X-Provags-ID: V03:K1:D4vQfpln85KTJTRhO/zBODIXlare97y79dBp/NZJCEYifN+yHm3
 vyFGcfzpPeUasnA96uRxavJDx8dHZHFf9RosIK5RLHZ8mPX/g0favwm850YUeGj7UyNUBR/
 vJnaj1xpTe3vJvjIPqg4xKC0Ru/Y8qbNxHP38q7l0v81GzaOc0vjHdQQ2YZLvCFChPsdaSu
 YAsVCjzjAzUGhsDTdrqEA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:f2/XeAulgjY=:aWDU1Rw2HSjI6Pa0NqkP98
 uj5RbrjV+B6x03tSPFie/Y8VRy12JJwZhnylav1ScTgt71gUyQbF1jer2gzgk+IQxZy3p7C+H
 cPYLAvgCam3MtM9j8B7h/nlzwv7EkaEXMSGc89U3tAobzDrQLrRrSDTRd7vllK8tbXT+tamhD
 wG4liPKl3tj8QAFFixl7dtYkgxLRQgXr6jzEINLR6slAQM0gxU5NA35RJA8NNuCLYqzCX2bSd
 grlmxb3rP1Ru4/jnzzWnq7H9hwo1408cyogMsD6/GQ7ChbGCZgrxZcGyQYGOj2TTImyio//4I
 CHTcM67zXNRbcT83+kKX2CwQRxEmX5Zlg8yQqZTQh+Dxm3sZvuwqCDO/PYEQjQper6Y4Tc8mc
 LQ1rP4DhbB4TQTTwCdrz1p4rNVDMZM70Onosqux2SVGeiMvGQO5qTzOZ36NOYWEGLn5ij0b33
 HIid8xb4mLpoJgrZHva3KU+OJriFi/kBcMh9uKV0mJyZwIqyGz3eDljy0sof+y4oTjFe1n3H9
 1+BIA1VCdwdZ0vCC7iQ7c0uE0iblWwCj26uiyQ/NZFNDM4O/0r4AfjaXO/M+CyrP+gNcN04Xb
 2Nhb++oFOHbaQZrW4AIdIKlVvmU4rkSBGX1WR0EeTwm2zZ2vqrWQpt7u/GPApnQZ0YHshRypg
 50HLBj488ZVt51vEORtFlWFrCdvtdVTbkiEQPzq6/pPYD7z/nVqC3EBxVNtYYpq89uW2DoGAI
 Z6puHlbHMXDo1jtO2BtiCkQho4B/nrDbtHJN0vfF4SYwEvvWB4O/YaQeAAs1Pu5qKlFz35M1E
 pe/3m1NHB5RpES9Ey16BO3TfmDLDRNS0s7Fd8N30qhsxan07t9B4DyG17hVs0d+MsuB8VMwJo
 akgOPpj7kVcRsFSZnLVnswYeJa7hkCdg7SORerK7KjgQR3GBC9T7so/I7RkY09xZeMcHJhghh
 nn4sbyF5z23DMF9TNMiLpYuWsfP0/LwiIEdnol1ZAx/eJUbkptt5vs/bxi0fL1PAIw5IIyqfn
 4h+eKENYuhdmNebM2YD3bpn2ZSZ8P/8oooh403/3M6QLJKL29JsVcJOOU2oWPqie1zQFASXrs
 kvzAb1ASVa2W18=
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, KAM_NUMSUBJECT,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-help@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-help mailing list <libc-help.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-help>,
 <mailto:libc-help-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-help/>
List-Help: <mailto:libc-help-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-help>,
 <mailto:libc-help-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 13:38:11 -0000

--MP_/qvtixBNO7LPmTKLwaFyPhyQ
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello,
I have observed a crash in firefox with glibc-2.34 and have found a
small reproducer.
Is the sigsys signal handler valid? If yes, then there is a bug in
glibc-2.34.
If it is invalid to set the result in the context, I think the firefox
sandbox is doing dodgy things.

gcc test.c -lseccomp
strace ./a.out

This test reproducer does not segfault with 2.33 (it gives a
"Permission denied")

Cheers
Andreas

--MP_/qvtixBNO7LPmTKLwaFyPhyQ
Content-Type: text/x-c++src
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=test.c

#define _GNU_SOURCE
#include <err.h>
#include <errno.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/utsname.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <seccomp.h>
#include <signal.h>
#include <unistd.h>

#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
#define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, REG_RAX)
void sigsys_handler(int signum, siginfo_t *info, void *vctx) {
    static int ctr = 0;
    ucontext_t * ctx = vctx;
    intptr_t ret_val = 0;
    if (++ctr > 1)
        ret_val = -13; // EACCESS
    SECCOMP_RESULT(ctx) = (greg_t)ret_val;
}

static void sandbox(void)
{
    /* allow all syscalls by default */
    scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_ALLOW);
    if (!seccomp_ctx)
        err(1, "seccomp_init failed");

    /* kill the process, if it tries to use "newfstatat" syscall */
    if (seccomp_rule_add_exact(seccomp_ctx, SCMP_ACT_TRAP, seccomp_syscall_resolve_name("newfstatat"), 0)) {
        perror("seccomp_rule_add_exact failed");
        exit(1);
    }

    /* apply the composed filter */
    if (seccomp_load(seccomp_ctx)) {
        perror("seccomp_load failed");
        exit(1);
    }

    /* release allocated context */
    seccomp_release(seccomp_ctx);
}


int main(int argc, char** argv) {
    struct sigaction sa, old_sa;
    sa.sa_sigaction = sigsys_handler;
    sa.sa_flags = SA_SIGINFO | SA_NODEFER;
    sigaction(SIGSYS, &sa, &old_sa);
    sandbox();
    struct passwd *pwd = getpwuid(getuid());
    if (pwd) {
        printf("%s\n", pwd->pw_name);
    } else {
        perror("getpwuid failed\n");
    }
    return 0;
}


--MP_/qvtixBNO7LPmTKLwaFyPhyQ--