From: H.J. Lu Date: Thu, 16 Jul 2020 10:37:10 +0000 (-0700) Subject: [PATCH] nptl: Zero-extend arguments to SETXID syscalls [BZ #26248] X-Git-Tag: archive/raspbian/2.31-2+rpi1^2~33 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=452e85b68cbd3266ab9d10e21a6c6fbe7091cfe0;p=glibc.git [PATCH] nptl: Zero-extend arguments to SETXID syscalls [BZ #26248] nptl has /* Opcodes and data types for communication with the signal handler to change user/group IDs. */ struct xid_command { int syscall_no; long int id[3]; volatile int cntr; volatile int error; }; /* This must be last, otherwise the current thread might not have permissions to send SIGSETXID syscall to the other threads. */ result = INTERNAL_SYSCALL_NCS (cmdp->syscall_no, 3, cmdp->id[0], cmdp->id[1], cmdp->id[2]); But the second argument of setgroups syscal is a pointer: int setgroups(size_t size, const gid_t *list); But on x32, pointers passed to syscall must have pointer type so that they will be zero-extended. The kernel XID arguments are unsigned and do not require sign extension. Change xid_command to struct xid_command { int syscall_no; unsigned long int id[3]; volatile int cntr; volatile int error; }; so that all arguments are zero-extended. A testcase is added for x32 and setgroups returned with EFAULT when running as root without the fix. Gbp-Pq: Topic x32 Gbp-Pq: Name submitted-fix-nptl-setgroups-x32.diff --- diff --git a/nptl/descr.h b/nptl/descr.h index 9dcf480bd..650331ad6 100644 --- a/nptl/descr.h +++ b/nptl/descr.h @@ -94,7 +94,13 @@ struct pthread_unwind_buf struct xid_command { int syscall_no; - long int id[3]; + /* Enforce zero-extension for the pointer argument in + + int setgroups(size_t size, const gid_t *list); + + The kernel XID arguments are unsigned and do not require sign + extension. */ + unsigned long int id[3]; volatile int cntr; volatile int error; /* -1: no call yet, 0: success seen, >0: error seen. */ };