From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) by sourceware.org (Postfix) with ESMTPS id 341E33858D28 for ; Fri, 3 Dec 2021 15:03:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 341E33858D28 Received: by mail-qt1-x833.google.com with SMTP id l8so3526380qtk.6 for ; Fri, 03 Dec 2021 07:03:56 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:from:to:cc:references:in-reply-to :content-transfer-encoding; bh=Gbjro5/zt6oA636wyFMTs3FOicih2G9m5CI15rmM2uw=; b=K3FbxbrVye5+UdwmzN635zlbzXAFXa5qbHtKqAP8icHDNBB+LpQ79G/weQRhnthXAn ape0zMW++A1XXvItAzBg9gKfuto5oSxyyZTV1M9x86wENt5bheTZPW63/+3/XDVqDltJ hxnH9dhyYnqX2sEMkPdCy67jX3xRuYwr1rDsjuvp153oZjk6mpVHdnUCcw0mo1tHK7PN n2vZG5Op7/IaoEv3UGzDoh0S6rY12X4QHc1fdyh6yTM8VRH3PwBa6sZ+QmqCdjVCoaOZ tWURyDdLhZ7b7g0Kj/Dtmnq8o0CUiUX3jRNBoX5j9MJbap0wsJnTMOomIWf9G1VHX2ZY plPA== X-Gm-Message-State: AOAM532ZVIXi+3t+RE9lF7jS1pK+dEQJOEOcjU9rQ/VewSEAgpWeZD9y b5I8EvXxqJfSJ9DQXM1XNQnR+BejyIz7OA== X-Google-Smtp-Source: ABdhPJy/FhMqZy/A+0lxh52bE1swRuZdV+dzx2ojcUX+ax74A5q7DoqDmSjmoh+DkDV/jKsTcR8NcQ== X-Received: by 2002:a05:622a:1014:: with SMTP id d20mr21877249qte.399.1638543835671; Fri, 03 Dec 2021 07:03:55 -0800 (PST) Received: from ?IPV6:2804:431:c7cb:30f8:f5d6:4b6d:fe6a:d565? ([2804:431:c7cb:30f8:f5d6:4b6d:fe6a:d565]) by smtp.gmail.com with ESMTPSA id f11sm2168312qko.84.2021.12.03.07.03.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 03 Dec 2021 07:03:55 -0800 (PST) Message-ID: Date: Fri, 3 Dec 2021 12:03:53 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2 Subject: Re: segmentation fault with glibc-2.34 Content-Language: en-US From: Adhemerval Zanella To: Andreas Fink Cc: libc-help References: <20211203143805.04797c96@anfink-laptop> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_NUMSUBJECT, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-help@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-help mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2021 15:03:57 -0000 On 03/12/2021 11:55, Adhemerval Zanella wrote: > On Fri, Dec 3, 2021 at 10:38 AM Andreas Fink via Libc-help > wrote: >> >> Hello, >> I have observed a crash in firefox with glibc-2.34 and have found a >> small reproducer. >> Is the sigsys signal handler valid? If yes, then there is a bug in >> glibc-2.34. >> If it is invalid to set the result in the context, I think the firefox >> sandbox is doing dodgy things. >> >> gcc test.c -lseccomp >> strace ./a.out > > The seccomp filter *explicitly* blocks newfstatat, which might be used > by getpwuid. Oops, I didn't not get the issue at first. It seems that the syscall return code it not being set as expected: (gdb) disas Dump of assembler code for function __GI___fstatat64: 0x00007ffff7e6fe70 <+0>: endbr64 0x00007ffff7e6fe74 <+4>: mov %ecx,%r10d 0x00007ffff7e6fe77 <+7>: mov $0x106,%eax 0x00007ffff7e6fe7c <+12>: syscall 0x00007ffff7e6fe7e <+14>: cmp $0xfffff000,%eax => 0x00007ffff7e6fe83 <+19>: ja 0x7ffff7e6fe90 <__GI___fstatat64+32> 0x00007ffff7e6fe85 <+21>: xor %eax,%eax 0x00007ffff7e6fe87 <+23>: ret 0x00007ffff7e6fe88 <+24>: nopl 0x0(%rax,%rax,1) 0x00007ffff7e6fe90 <+32>: mov 0x100f79(%rip),%rdx # 0x7ffff7f70e10 0x00007ffff7e6fe97 <+39>: neg %eax 0x00007ffff7e6fe99 <+41>: mov %eax,%fs:(%rdx) 0x00007ffff7e6fe9c <+44>: mov $0xffffffff,%eax 0x00007ffff7e6fea1 <+49>: ret End of assembler dump. (gdb) i r eax eax 0x0 0 Which makes getpwuid access uninitiated/invalid memory later.