This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
On Wed, Jul 02, 2014 at 02:18:06PM +0200, Florian Weimer wrote:
> If a call to the set*id functions fails in a multi-threaded program,
> the abort introduced in commit 13f7fe35ae2b0ea55dc4b9628763aafdc8bdc30c
> was triggered.
There should be a bug report for this I think. This is suitable for
2.20 since it is a regression from a patch that went in earlier to
abort on set*id failure.
> We address by checking that all calls to set*id on all threads give
> the same result, and only abort if we see success followed by failure
> (or vice versa).
The fix looks good to me barring a couple of minor issues that I have
mentioned below.
The original bug report mentions a kernel failure case being the only
case causing the setuid failure, but I think there may be another case
worth mentioning. It goes like this:
1. A calls setuid(x) and starts signalling other threads
2. B is signalled with some other signal and its handler has a call to
setuid(y) - this is allowed since setuid is considered
async-signal-safe.
3. B signals A due to which A sets its uid to y
4. A tries calling setuid(x) on itself and fails.
3. and 4. may happen on any other thread too when they're setuid'd to
a uid that can't setuid to the other uid. This can result in
partially failed setuid calls for A as well as B.
>
> 2014-07-02 Florian Weimer <fweimer@redhat.com>
>
BZ # would go here once you file the bug.
> * nptl/pthreadP.h (__nptl_setxid_error): Declare function.
> * nptl/allocatestack.c (__nptl_setxid_error): New function.
> (__nptl_setxid): Initialize error member. Call
> __nptl_setxid_error.
> * nptl/nptl-init.c (sighandler_setxid): Call __nptl_setxid_error.
> * nptl/descr.h (struct xid_command): Add error member.
> * nptl/tst-setuid3.c: New file.
> * nptl/Makefile (tests): Add it.
>
> --
> Florian Weimer / Red Hat Product Security
> diff --git a/nptl/Makefile b/nptl/Makefile
> index cd3be12..34d14c7 100644
> --- a/nptl/Makefile
> +++ b/nptl/Makefile
> @@ -269,6 +269,7 @@ tests = tst-typesizes \
> tst-abstime \
> tst-vfork1 tst-vfork2 tst-vfork1x tst-vfork2x \
> tst-getpid1 tst-getpid2 tst-getpid3 \
> + tst-setuid3 \
> tst-initializers1 $(patsubst %,tst-initializers1-%,c89 gnu89 c99 gnu99)
> xtests = tst-setuid1 tst-setuid1-static tst-setuid2 \
> tst-mutexpp1 tst-mutexpp6 tst-mutexpp10
> diff --git a/nptl/allocatestack.c b/nptl/allocatestack.c
> index 9095ef4..72a898a 100644
> --- a/nptl/allocatestack.c
> +++ b/nptl/allocatestack.c
> @@ -1059,6 +1059,25 @@ setxid_signal_thread (struct xid_command *cmdp, struct pthread *t)
> return 0;
> }
>
> +/* Check for consistency across set*id system call results. The abort
> + should not happen as long as all privileges changes happen through
> + the glibc wrappers. ERROR must be 0 (no error) or an errno
> + code. */
> +void
> +attribute_hidden
> +__nptl_setxid_error (struct xid_command *cmdp, int error)
> +{
> + do
> + {
> + int olderror = cmdp->error;
> + if (olderror == error)
> + break;
> + if (olderror != -1)
> + /* Mismatch between current and previous results. */
> + abort ();
> + }
> + while (atomic_compare_and_exchange_bool_acq (&cmdp->error, error, -1));
> +}
>
> int
> attribute_hidden
> @@ -1070,6 +1089,7 @@ __nptl_setxid (struct xid_command *cmdp)
>
> __xidcmd = cmdp;
> cmdp->cntr = 0;
> + cmdp->error = -1;
>
> struct pthread *self = THREAD_SELF;
>
> @@ -1155,9 +1175,13 @@ __nptl_setxid (struct xid_command *cmdp)
> cmdp->id[0], cmdp->id[1], cmdp->id[2]);
> if (INTERNAL_SYSCALL_ERROR_P (result, err))
> {
> - __set_errno (INTERNAL_SYSCALL_ERRNO (result, err));
> + int error = INTERNAL_SYSCALL_ERRNO (result, err);
> + __nptl_setxid_error (cmdp, error);
> + __set_errno (error);
> result = -1;
> }
> + else
> + __nptl_setxid_error (cmdp, 0);
Get ERROR out and initialize it to 0 so that you can call
__nptl_setxid_error just once outside the if/else. Also, you could
mark the error path as unlikely. That is:
int error = 0;
if (__glibc_unlikely (INTERNAL_SYSCALL_ERROR_P (result, err)))
{
error = INTERNAL_SYSCALL_ERRNO (result, err);
__set_errno (error);
result = -1;
}
__nptl_setxid_error (cmdp, error);
>
> lll_unlock (stack_cache_lock, LLL_PRIVATE);
> return result;
> diff --git a/nptl/descr.h b/nptl/descr.h
> index 61d57d5..6738591 100644
> --- a/nptl/descr.h
> +++ b/nptl/descr.h
> @@ -100,6 +100,7 @@ struct xid_command
> int syscall_no;
> long int id[3];
> volatile int cntr;
> + volatile int error; /* -1: no call yet, 0: success seen, >0: error seen. */
> };
>
>
> diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
> index 2796dc5..86d9d77 100644
> --- a/nptl/nptl-init.c
> +++ b/nptl/nptl-init.c
> @@ -249,9 +249,12 @@ sighandler_setxid (int sig, siginfo_t *si, void *ctx)
> result = INTERNAL_SYSCALL_NCS (__xidcmd->syscall_no, err, 3, __xidcmd->id[0],
> __xidcmd->id[1], __xidcmd->id[2]);
> if (__glibc_unlikely (INTERNAL_SYSCALL_ERROR_P (result, err)))
> - /* Safety check. This should never happen if the setxid system
> - calls are only ever called through their glibc wrappers. */
> - abort ();
> + {
> + int error = INTERNAL_SYSCALL_ERRNO (result, err);
> + __nptl_setxid_error (__xidcmd, error);
> + }
> + else
> + __nptl_setxid_error (__xidcmd, 0);
Likewise.
>
> /* Reset the SETXID flag. */
> struct pthread *self = THREAD_SELF;
> diff --git a/nptl/pthreadP.h b/nptl/pthreadP.h
> index 197401a..94e7890 100644
> --- a/nptl/pthreadP.h
> +++ b/nptl/pthreadP.h
> @@ -578,6 +578,8 @@ extern void _pthread_cleanup_pop_restore (struct _pthread_cleanup_buffer *buffer
>
> extern void __nptl_deallocate_tsd (void) attribute_hidden;
>
> +extern void __nptl_setxid_error (struct xid_command *cmdp, int error)
> + attribute_hidden;
> extern int __nptl_setxid (struct xid_command *cmdp) attribute_hidden;
> #ifndef SHARED
> extern void __nptl_set_robust (struct pthread *self);
> diff --git a/nptl/tst-setuid3.c b/nptl/tst-setuid3.c
> new file mode 100644
> index 0000000..f78f485
> --- /dev/null
> +++ b/nptl/tst-setuid3.c
> @@ -0,0 +1,104 @@
> +/* Copyright (C) 2014 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <err.h>
> +#include <errno.h>
> +#include <pthread.h>
> +#include <stdbool.h>
> +#include <unistd.h>
> +
> +/* The test must run under a non-privileged user ID. */
> +static const uid_t test_uid = 1;
> +
> +static pthread_barrier_t barrier1;
> +static pthread_barrier_t barrier2;
> +
> +static void *
> +thread_func (void *ctx __attribute__ ((unused)))
> +{
> + int ret = pthread_barrier_wait (&barrier1);
> + if (ret != PTHREAD_BARRIER_SERIAL_THREAD && ret != 0)
> + errx (1, "pthread_barrier_wait (barrier1) (on thread): %d", ret);
> + ret = pthread_barrier_wait (&barrier2);
> + if (ret != PTHREAD_BARRIER_SERIAL_THREAD && ret != 0)
> + errx (1, "pthread_barrier_wait (barrier2) (on thread): %d", ret);
> + return NULL;
> +}
> +
> +static void
> +setuid_failure (int phase)
> +{
> + int ret = setuid (0);
> + switch (ret)
> + {
> + case 0:
> + errx (1, "setuid succeeded unexpectedly in phase %d", phase);
> + case -1:
> + if (errno != EPERM)
> + err (1, "setuid phase %d", phase);
> + break;
> + default:
> + errx (1, "invalid setuid return value in phase %d: %d", phase, ret);
> + }
> +}
> +
> +static int
> +do_test (void)
> +{
> + if (getuid () == 0)
> + if (setuid (test_uid) != 0)
> + err (1, "setuid (%u)", (unsigned) test_uid);
> + if (setuid (getuid ()))
> + err (1, "setuid (getuid ())");
> + setuid_failure (1);
> +
> + int ret = pthread_barrier_init (&barrier1, NULL, 2);
> + if (ret != 0)
> + errx (1, "pthread_barrier_init (barrier1): %d", ret);
> + ret = pthread_barrier_init (&barrier2, NULL, 2);
> + if (ret != 0)
> + errx (1, "pthread_barrier_init (barrier2): %d", ret);
> +
> + pthread_t thread;
> + ret = pthread_create (&thread, NULL, thread_func, NULL);
> + if (ret != 0)
> + errx (1, "pthread_create: %d", ret);
> +
> + /* Ensure that the thread is running properly. */
> + ret = pthread_barrier_wait (&barrier1);
> + if (ret != 0)
> + errx (1, "pthread_barrier_wait (barrier1): %d", ret);
> +
> + setuid_failure (2);
> +
> + /* Check success case. */
> + if (setuid (getuid ()) != 0)
> + err (1, "setuid (getuid ())");
> +
> + /* Shutdown. */
> + ret = pthread_barrier_wait (&barrier2);
> + if (ret != PTHREAD_BARRIER_SERIAL_THREAD && ret != 0)
> + errx (1, "pthread_barrier_wait (barrier2): %d", ret);
> +
> + if (ret != PTHREAD_BARRIER_SERIAL_THREAD && ret != 0)
> + errx (1, "pthread_join: %d", ret);
> +
> + return 0;
> +}
> +
> +#define TEST_FUNCTION do_test ()
> +#include "../test-skeleton.c"
Attachment:
pgpJqpRyjdW4w.pgp
Description: PGP signature
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |