This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/22565] New: Enhance Safety check


https://sourceware.org/bugzilla/show_bug.cgi?id=22565

            Bug ID: 22565
           Summary: Enhance Safety check
           Product: glibc
           Version: 2.26
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: akhilesh.k at samsung dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Dear All 

I found one strange behavior during crash analysis my process is terminated
with signal SIGILL 

Looks system is terminated due to wrong system call because my r7 is also looks
invalid and si pointer is null this issue could be due to some memory
corruption in my stack.  

I believe in such type of cases we can change below check to avoid SIGILL to
SIGSEGV. 


 14  nptl/nptl-init.c |   12 ++++++------
 15  1 files changed, 6 insertions(+), 6 deletions(-)
 16 
 17 diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
 18 index 2921607..df32ec1 100644
 19 --- a/nptl/nptl-init.c
 20 +++ b/nptl/nptl-init.c
 21 @@ -184,9 +184,9 @@ sigcancel_handler (int sig, siginfo_t *si, void *ctx)
 22       other signals and send a signal from another process.  This is not
 23       correct and might even be a security problem.  Try to catch as
 24       many incorrect invocations as possible.  */
 25 -  if (sig != SIGCANCEL
 26 -      || si->si_pid != __getpid()
 27 -      || si->si_code != SI_TKILL)
 28 +  if (si->si_pid != __getpid()
 29 +      || si->si_code != SI_TKILL
 30 +      || sig != SIGCANCEL)
 31      return;
 32 
 33    struct pthread *self = THREAD_SELF;
 34 @@ -239,9 +239,9 @@ sighandler_setxid (int sig, siginfo_t *si, void *ctx)
 35       other signals and send a signal from another process.  This is not
 36       correct and might even be a security problem.  Try to catch as
 37       many incorrect invocations as possible.  */
 38 -  if (sig != SIGSETXID
 39 -      || si->si_pid != __getpid ()
 40 -      || si->si_code != SI_TKILL)
 41 +  if (si->si_pid != __getpid ()
 42 +      || si->si_code != SI_TKILL
 43 +      || sig != SIGSETXID)
 44      return;


result = INTERNAL_SYSCALL_NCS (__xidcmd->syscall_no, err, 3, __xidcmd->id[0],  
                     //Syscall triggered with invalid syscall_no
                 __xidcmd->id[1], __xidcmd->id[2]);
  int error = 0;
  if (__glibc_unlikely (INTERNAL_SYSCALL_ERROR_P (result, err)))
    error = INTERNAL_SYSCALL_ERRNO (result, err);
  __nptl_setxid_error (__xidcmd, error);

(gdb) p/x *__xidcmd
$2 = {syscall_no = 0xbe49f3d8, id = {0xbe49f40b, 0xbe49f7c3, 0xbe49f3d8}, cntr
= 0xbe49f7c3, error = 0x0}

(gdb) p *__xidcmd
$2 = {syscall_no = -1102449704, id = {-1102449653, -1102448701, -1102449704},
cntr = -1102448701, error = 0}
(gdb)



(gdb) disassemble 
Dump of assembler code for function sighandler_setxid:
   0xb6485594 <+0>:     cmp     r0, #33 ; 0x21
   0xb6485598 <+4>:     bxne    lr
   0xb648559c <+8>:     str     r4, [sp, #-12]!
   0xb64855a0 <+12>:    mrc     15, 0, r4, cr13, cr0, {3}
   0xb64855a4 <+16>:    ldr     r3, [r4, #-1108]        ; 0xfffffbac
   0xb64855a8 <+20>:    stmib   sp, {r7, lr}
   0xb64855ac <+24>:    ldr     r2, [r1, #12]
   0xb64855b0 <+28>:    cmp     r3, #0
   0xb64855b4 <+32>:    rsblt   r3, r3, #0
   0xb64855b8 <+36>:    sub     sp, sp, #20
   0xb64855bc <+40>:    cmp     r2, r3
   0xb64855c0 <+44>:    beq     0xb64855d8 <sighandler_setxid+68>
   0xb64855c4 <+48>:    add     sp, sp, #20
   0xb64855c8 <+52>:    ldr     r4, [sp]
   0xb64855cc <+56>:    ldr     r7, [sp, #4]
   0xb64855d0 <+60>:    add     sp, sp, #8
   0xb64855d4 <+64>:    pop     {pc}            ; (ldr pc, [sp], #4)
   0xb64855d8 <+68>:    ldr     r3, [r1, #8]
   0xb64855dc <+72>:    cmn     r3, #6
   0xb64855e0 <+76>:    bne     0xb64855c4 <sighandler_setxid+48>
   0xb64855e4 <+80>:    ldr     r3, [pc, #352]  ; 0xb648574c
<sighandler_setxid+440>
   0xb64855e8 <+84>:    add     r3, pc, r3
   0xb64855ec <+88>:    ldr     r3, [r3]
   0xb64855f0 <+92>:    ldr     r7, [r3]
   0xb64855f4 <+96>:    ldrd    r0, [r3, #4]
   0xb64855f8 <+100>:   ldr     r2, [r3, #12]
   0xb64855fc <+104>:   svc     0x00000000
=> 0xb6485600 <+108>:   ldr     r3, [pc, #328]  ; 0xb6485750
<sighandler_setxid+444> 
   0xb6485604 <+112>:   cmn     r0, #4096       ; 0x1000


(gdb) info locals 
pid = 6776
result = 0
error = 0
self = <optimized out>
flags = <optimized out>
newval = <optimized out>
(gdb) info threads 
  Id   Target Id         Frame 
* 1    LWP 6806          sighandler_setxid (sig=<optimized out>, si=0x0,
ctx=<optimized out>) at nptl-init.c:269
  2    LWP 6809          0xb6491f34 in futex_abstimed_wait_cancelable
(private=128, abstime=0x0, expected=1, futex_word=0x525d00) at
../sysdeps/unix/sysv/linux/futex-internal.h:205
  3    LWP 6811          0xb648f2c4 in __pthread_cond_wait
(cond=cond@entry=0x5404a8, mutex=mutex@entry=0x540490) at
pthread_cond_wait.c:186
  4    LWP 6776          0xb648877c in pthread_join (threadid=<optimized out>,
thread_return=thread_return@entry=0x0) at pthread_join.c:90
  5    LWP 6804          0xb6491f34 in futex_abstimed_wait_cancelable
(private=128, abstime=0x0, expected=1, futex_word=0x523948) at
../sysdeps/unix/sysv/linux/futex-internal.h:205
  6    LWP 6803          0xb6491f34 in futex_abstimed_wait_cancelable
(private=128, abstime=0x0, expected=1, futex_word=0x523598) at
../sysdeps/unix/sysv/linux/futex-internal.h:205
(gdb)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]