26639 – msgctl IPC_INFO and MSG_INFO return garbage

Bug 26639 - msgctl IPC_INFO and MSG_INFO return garbage

Summary: msgctl IPC_INFO and MSG_INFO return garbage

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	2.32

Importance:	P2 normal
Target Milestone:	2.33
Assignee:	Adhemerval Zanella

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-09-20 15:08 UTC by Dmitry V. Levin
Modified:	2020-10-02 19:42 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dmitry V. Levin 2020-09-20 15:08:38 UTC

Starting with commit glibc-2.31.9000-687-g3283f71113 aka glibc-2.32~83,
both IPC_INFO and MSG_INFO commands of msgctl return garbage because their argument of type "struct msginfo" is converted using kmsqid64_to_msqid64.

This bug was found by strace test suite.

Comment 1 Dmitry V. Levin 2020-09-20 17:21:58 UTC

(In reply to Dmitry V. Levin from comment #0)
> Starting with commit glibc-2.31.9000-687-g3283f71113 aka glibc-2.32~83,
> both IPC_INFO and MSG_INFO commands of msgctl return garbage because their
> argument of type "struct msginfo" is converted using kmsqid64_to_msqid64.

typo: it's msqid64_to_kmsqid64, not kmsqid64_to_msqid64.

Comment 2 Dmitry V. Levin 2020-09-20 17:35:33 UTC

The bug is both in __msgctl64 and __msgctl: in case of IPC_INFO and MSG_INFO, instead of the pointer specified by the user, a pointer to an internal buffer on the stack is passed to the kernel.  As result, the buffer specified by the user remains unchanged after IPC_INFO and MSG_INFO commands.

Comment 3 Adhemerval Zanella 2020-10-02 19:42:02 UTC

Fixed on 2.33 (20a00dbefca5695cccaa44846a482db8ccdd85ab).