nptl: Zero-extend arguments to SETXID syscalls [BZ #26248]

nptl has

/* Opcodes and data types for communication with the signal handler to
   change user/group IDs.  */
struct xid_command
{
  int syscall_no;
  long int id[3];
  volatile int cntr;
  volatile int error;
};

 /* This must be last, otherwise the current thread might not have
     permissions to send SIGSETXID syscall to the other threads.  */
  result = INTERNAL_SYSCALL_NCS (cmdp->syscall_no, 3,
                                 cmdp->id[0], cmdp->id[1], cmdp->id[2]);

But the second argument of setgroups syscal is a pointer:

       int setgroups (size_t size, const gid_t *list);

But on x32, pointers passed to syscall must have pointer type so that
they will be zero-extended.  The kernel XID arguments are unsigned and
do not require sign extension.  Change xid_command to

struct xid_command
{
  int syscall_no;
  unsigned long int id[3];
  volatile int cntr;
  volatile int error;
};

so that all arguments are zero-extended.  A testcase is added for x32 and
setgroups returned with EFAULT when running as root without the fix.

(cherry picked from commit 0ad926f349)
This commit is contained in:
H.J. Lu 2020-07-16 03:37:10 -07:00 committed by Aurelien Jarno
parent 21b760cc2f
commit 7611339a9b
4 changed files with 88 additions and 2 deletions

1
NEWS
View File

@ -24,6 +24,7 @@ The following bugs are resolved with this release:
[25933] Off by one error in __strncmp_avx2
[25966] Incorrect access of __x86_shared_non_temporal_threshold for x32
[25976] nss_compat: internal_end*ent may clobber errno, hiding ERANGE
[26248] Incorrect argument types for INLINE_SETXID_SYSCALL
Security related changes:

View File

@ -332,7 +332,7 @@ tests-internal := tst-rwlock19 tst-rwlock20 \
tst-mutexpi8 tst-mutexpi8-static tst-cancel25
xtests = tst-setuid1 tst-setuid1-static tst-setuid2 \
tst-mutexpp1 tst-mutexpp6 tst-mutexpp10
tst-mutexpp1 tst-mutexpp6 tst-mutexpp10 tst-setgroups
# This test can run into task limits because of a linux kernel bug
# and then cause the make process to fail too, see bug 24537.

View File

@ -94,7 +94,13 @@ struct pthread_unwind_buf
struct xid_command
{
int syscall_no;
long int id[3];
/* Enforce zero-extension for the pointer argument in
int setgroups (size_t size, const gid_t *list);
The kernel XID arguments are unsigned and do not require sign
extension. */
unsigned long int id[3];
volatile int cntr;
volatile int error; /* -1: no call yet, 0: success seen, >0: error seen. */
};

79
nptl/tst-setgroups.c Normal file
View File

@ -0,0 +1,79 @@
/* Test setgroups as root and in the presence of threads (Bug 26248)
Copyright (C) 2020 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<https://www.gnu.org/licenses/>. */
#include <stdlib.h>
#include <limits.h>
#include <grp.h>
#include <errno.h>
#include <error.h>
#include <support/xthread.h>
#include <support/support.h>
#include <support/test-driver.h>
#include <support/xunistd.h>
/* The purpose of this test is to test the setgroups API as root and in
the presence of threads. Once we create a thread the setgroups
implementation must ensure that all threads are set to the same
group and this operation should not fail. Lastly we test setgroups
with a zero sized group and a bad address and verify we get EPERM. */
static void *
start_routine (void *args)
{
return NULL;
}
static int
do_test (void)
{
int size;
/* NB: Stack address can be at 0xfffXXXXX on 32-bit OSes. */
gid_t list[NGROUPS_MAX];
int status = EXIT_SUCCESS;
pthread_t thread = xpthread_create (NULL, start_routine, NULL);
size = getgroups (sizeof (list) / sizeof (list[0]), list);
if (size < 0)
{
status = EXIT_FAILURE;
error (0, errno, "getgroups failed");
}
if (setgroups (size, list) < 0)
{
if (errno == EPERM)
status = EXIT_UNSUPPORTED;
else
{
status = EXIT_FAILURE;
error (0, errno, "setgroups failed");
}
}
if (status == EXIT_SUCCESS && setgroups (0, list) < 0)
{
status = EXIT_FAILURE;
error (0, errno, "setgroups failed");
}
xpthread_join (thread);
return status;
}
#include <support/test-driver.c>