This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/22564] New: Enhance Safety check
- From: "akhilesh.k at samsung dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 07 Dec 2017 04:50:43 +0000
- Subject: [Bug libc/22564] New: Enhance Safety check
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22564
Bug ID: 22564
Summary: Enhance Safety check
Product: glibc
Version: 2.26
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: akhilesh.k at samsung dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Dear All
I found one strange behavior during crash analysis my process is terminated
with signal SIGILL
Looks system is terminated due to wrong system call because my r7 is also looks
invalid and si pointer is null this issue could be due to some memory
corruption in my stack.
I believe in such type of cases we can change below check to avoid SIGILL to
SIGSEGV.
14 nptl/nptl-init.c | 12 ++++++------
15 1 files changed, 6 insertions(+), 6 deletions(-)
16
17 diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
18 index 2921607..df32ec1 100644
19 --- a/nptl/nptl-init.c
20 +++ b/nptl/nptl-init.c
21 @@ -184,9 +184,9 @@ sigcancel_handler (int sig, siginfo_t *si, void *ctx)
22 other signals and send a signal from another process. This is not
23 correct and might even be a security problem. Try to catch as
24 many incorrect invocations as possible. */
25 - if (sig != SIGCANCEL
26 - || si->si_pid != __getpid()
27 - || si->si_code != SI_TKILL)
28 + if (si->si_pid != __getpid()
29 + || si->si_code != SI_TKILL
30 + || sig != SIGCANCEL)
31 return;
32
33 struct pthread *self = THREAD_SELF;
34 @@ -239,9 +239,9 @@ sighandler_setxid (int sig, siginfo_t *si, void *ctx)
35 other signals and send a signal from another process. This is not
36 correct and might even be a security problem. Try to catch as
37 many incorrect invocations as possible. */
38 - if (sig != SIGSETXID
39 - || si->si_pid != __getpid ()
40 - || si->si_code != SI_TKILL)
41 + if (si->si_pid != __getpid ()
42 + || si->si_code != SI_TKILL
43 + || sig != SIGSETXID)
44 return;
result = INTERNAL_SYSCALL_NCS (__xidcmd->syscall_no, err, 3, __xidcmd->id[0],
//Syscall triggered with invalid syscall_no
__xidcmd->id[1], __xidcmd->id[2]);
int error = 0;
if (__glibc_unlikely (INTERNAL_SYSCALL_ERROR_P (result, err)))
error = INTERNAL_SYSCALL_ERRNO (result, err);
__nptl_setxid_error (__xidcmd, error);
(gdb) p/x *__xidcmd
$2 = {syscall_no = 0xbe49f3d8, id = {0xbe49f40b, 0xbe49f7c3, 0xbe49f3d8}, cntr
= 0xbe49f7c3, error = 0x0}
(gdb) p *__xidcmd
$2 = {syscall_no = -1102449704, id = {-1102449653, -1102448701, -1102449704},
cntr = -1102448701, error = 0}
(gdb)
(gdb) disassemble
Dump of assembler code for function sighandler_setxid:
0xb6485594 <+0>: cmp r0, #33 ; 0x21
0xb6485598 <+4>: bxne lr
0xb648559c <+8>: str r4, [sp, #-12]!
0xb64855a0 <+12>: mrc 15, 0, r4, cr13, cr0, {3}
0xb64855a4 <+16>: ldr r3, [r4, #-1108] ; 0xfffffbac
0xb64855a8 <+20>: stmib sp, {r7, lr}
0xb64855ac <+24>: ldr r2, [r1, #12]
0xb64855b0 <+28>: cmp r3, #0
0xb64855b4 <+32>: rsblt r3, r3, #0
0xb64855b8 <+36>: sub sp, sp, #20
0xb64855bc <+40>: cmp r2, r3
0xb64855c0 <+44>: beq 0xb64855d8 <sighandler_setxid+68>
0xb64855c4 <+48>: add sp, sp, #20
0xb64855c8 <+52>: ldr r4, [sp]
0xb64855cc <+56>: ldr r7, [sp, #4]
0xb64855d0 <+60>: add sp, sp, #8
0xb64855d4 <+64>: pop {pc} ; (ldr pc, [sp], #4)
0xb64855d8 <+68>: ldr r3, [r1, #8]
0xb64855dc <+72>: cmn r3, #6
0xb64855e0 <+76>: bne 0xb64855c4 <sighandler_setxid+48>
0xb64855e4 <+80>: ldr r3, [pc, #352] ; 0xb648574c
<sighandler_setxid+440>
0xb64855e8 <+84>: add r3, pc, r3
0xb64855ec <+88>: ldr r3, [r3]
0xb64855f0 <+92>: ldr r7, [r3]
0xb64855f4 <+96>: ldrd r0, [r3, #4]
0xb64855f8 <+100>: ldr r2, [r3, #12]
0xb64855fc <+104>: svc 0x00000000
=> 0xb6485600 <+108>: ldr r3, [pc, #328] ; 0xb6485750
<sighandler_setxid+444>
0xb6485604 <+112>: cmn r0, #4096 ; 0x1000
(gdb) info locals
pid = 6776
result = 0
error = 0
self = <optimized out>
flags = <optimized out>
newval = <optimized out>
(gdb) info threads
Id Target Id Frame
* 1 LWP 6806 sighandler_setxid (sig=<optimized out>, si=0x0,
ctx=<optimized out>) at nptl-init.c:269
2 LWP 6809 0xb6491f34 in futex_abstimed_wait_cancelable
(private=128, abstime=0x0, expected=1, futex_word=0x525d00) at
../sysdeps/unix/sysv/linux/futex-internal.h:205
3 LWP 6811 0xb648f2c4 in __pthread_cond_wait
(cond=cond@entry=0x5404a8, mutex=mutex@entry=0x540490) at
pthread_cond_wait.c:186
4 LWP 6776 0xb648877c in pthread_join (threadid=<optimized out>,
thread_return=thread_return@entry=0x0) at pthread_join.c:90
5 LWP 6804 0xb6491f34 in futex_abstimed_wait_cancelable
(private=128, abstime=0x0, expected=1, futex_word=0x523948) at
../sysdeps/unix/sysv/linux/futex-internal.h:205
6 LWP 6803 0xb6491f34 in futex_abstimed_wait_cancelable
(private=128, abstime=0x0, expected=1, futex_word=0x523598) at
../sysdeps/unix/sysv/linux/futex-internal.h:205
(gdb)
--
You are receiving this mail because:
You are on the CC list for the bug.