This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug dynamic-link/21269] i386 sigaction sa_restorer handling is wrong

From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Mon, 20 Mar 2017 16:05:03 +0000
Subject: [Bug dynamic-link/21269] i386 sigaction sa_restorer handling is wrong
Auto-submitted: auto-generated
References: <bug-21269-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=21269

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Andy Lutomirski from comment #2)
> (In reply to Florian Weimer from comment #1)
> > I think I'll take your word for this.  This seems an 
> 
> ?

Sorry, meant to write: This seems an actual problem we should fix.

> The most straightforward reproducer I can think of is to set up a struct
> user_desc that's all zeros except entry_number = -1, limit = 0xfffff,
> seg_32bit = 1, and limit_in_pages = 1.  Call set_thread_area(2) on it.  Set
> up a handler for SIGTRAP -- details don't really matter.
> 
> Then do (intentionally not valid C so you can't copy it):
> 
> mov [(entry_number << 3) | 3], %ss
> int3
> 
> A successful test will run the signal handler.  A failed test will segfault.

Okay, I'll try to turn this into an actual test case.

Any suggestions how to block the vDSO mapping?  I assume that's needed as well
before the bug can trigger.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug libc/21269] New: i386 sigaction sa_restorer handling is wrong
  - From: luto at kernel dot org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]