From patchwork Mon Mar 24 14:30:30 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 333070
Return-Path: 
 <libc-alpha-return-48455-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 064C7140090
	for <incoming@patchwork.ozlabs.org>;
	Tue, 25 Mar 2014 01:53:26 +1100 (EST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:content-type; q=dns; s=default; b=LU8SXb8p3JMbpLZ5GC/NWmV5GpvQu
	BQWRCOPr4IjN3EkzXJxyBSk3A3Grd8xAT1S1WZTObPhhtle/5yWlPDCAYBSIyB/X
	+Yf0+qJMrJ19y0PYxuxl16HOi6LDmX5lGvcDA7A2Zk42pqDWohu5xZvys0PFlkva
	TmYF3lbkeAITtc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:content-type; s=default; bh=VgGmqPYAqXx6vp25lHU50L14mZU=; b=TNC
	y8Lf/2ZNIQu4E2zCSfRN+tAfqlb5EukVwzaecKOCvavafbDImdt+oAxhuMgaHRPe
	94JtWjKbYODOyhJbrOr+tUwzo77FnVmN/upp2XS0toOt4AT2XqD/w//GFyLpmrk5
	UL3NOo8PTt/NO1guyx1hLXGVB0ER8xxLXUffM+14=
Received: (qmail 4139 invoked by alias); 24 Mar 2014 14:53:21 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 4088 invoked by uid 89); 24 Mar 2014 14:53:20 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.0 required=5.0 tests=AWL, BAYES_00,
	RP_MATCHES_RCVD, SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
Message-ID: <53304186.4000909@redhat.com>
Date: Mon, 24 Mar 2014 15:30:30 +0100
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: GNU C Library <libc-alpha@sourceware.org>
Subject: [PATCH] Error checking for SETXID (bug 13347)

Check for syscall error in the SETXID implementation in NPTL (bug 13347).

At this point, we can only abort the process because we have already 
switched credentials on other threads.  Returning an error would still 
leave the process in an inconsistent state.

The new xtest needs root privileges to run.

commit 06f66b8da0d3d2914f1d6f66ebf422007c5b00b7
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon Mar 24 15:24:02 2014 +0100

    Check for syscall error in the SETXID implementation in NPTL (bug 13347).
    
    At this point, we can only abort the process because we have already
    switched credentials on other threads.  Returning an error would still
    leave the process in an inconsistent state.
    
    The new xtest needs root privileges to run.

diff --git a/ChangeLog b/ChangeLog
index e9fdbe7..e797a20 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2014-03-24  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #13347]
+	* nptl/nptl-init.c (sighandler_setxid): Check system call result.
+	* nptl/tst-setuid2.c: New file.
+	* nptl/Makefile (xtests): Add tst-setuid2.
+
 2014-03-24  Joseph Myers  <joseph@codesourcery.com>
 
 	[BZ #16284]
diff --git a/nptl/Makefile b/nptl/Makefile
index 897ac96..2876224 100644
--- a/nptl/Makefile
+++ b/nptl/Makefile
@@ -270,7 +270,8 @@ tests = tst-typesizes \
 	tst-vfork1 tst-vfork2 tst-vfork1x tst-vfork2x \
 	tst-getpid1 tst-getpid2 tst-getpid3 \
 	tst-initializers1 $(patsubst %,tst-initializers1-%,c89 gnu89 c99 gnu99)
-xtests = tst-setuid1 tst-setuid1-static tst-mutexpp1 tst-mutexpp6 tst-mutexpp10
+xtests = tst-setuid1 tst-setuid1-static tst-setuid2 \
+	tst-mutexpp1 tst-mutexpp6 tst-mutexpp10
 test-srcs = tst-oddstacklimit
 
 # Files which must not be linked with libpthread.
diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
index 794156b..2796dc5 100644
--- a/nptl/nptl-init.c
+++ b/nptl/nptl-init.c
@@ -232,6 +232,7 @@ sighandler_setxid (int sig, siginfo_t *si, void *ctx)
   /* Determine the process ID.  It might be negative if the thread is
      in the middle of a fork() call.  */
   pid_t pid = THREAD_GETMEM (THREAD_SELF, pid);
+  int result;
   if (__glibc_unlikely (pid < 0))
     pid = -pid;
 
@@ -245,8 +246,12 @@ sighandler_setxid (int sig, siginfo_t *si, void *ctx)
     return;
 
   INTERNAL_SYSCALL_DECL (err);
-  INTERNAL_SYSCALL_NCS (__xidcmd->syscall_no, err, 3, __xidcmd->id[0],
-			__xidcmd->id[1], __xidcmd->id[2]);
+  result = INTERNAL_SYSCALL_NCS (__xidcmd->syscall_no, err, 3, __xidcmd->id[0],
+				 __xidcmd->id[1], __xidcmd->id[2]);
+  if (__glibc_unlikely (INTERNAL_SYSCALL_ERROR_P (result, err)))
+    /* Safety check.  This should never happen if the setxid system
+       calls are only ever called through their glibc wrappers.  */
+    abort ();
 
   /* Reset the SETXID flag.  */
   struct pthread *self = THREAD_SELF;
diff --git a/nptl/tst-setuid2.c b/nptl/tst-setuid2.c
new file mode 100644
index 0000000..951aecc
--- /dev/null
+++ b/nptl/tst-setuid2.c
@@ -0,0 +1,145 @@
+/* Copyright (C) 2014 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+/* Check that a partial setuid failure aborts the process. */
+
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t cond_send;
+static void (*func_sent) (void);
+static pthread_cond_t cond_recv;
+
+#define FAIL(fmt, ...) \
+  do { printf ("FAIL: " fmt "\n", __VA_ARGS__); _exit (1); } while (0)
+
+static void *
+thread_func (void *ctx __attribute__ ((unused)))
+{
+  int ret = pthread_mutex_lock (&mutex);
+  if (ret != 0)
+    FAIL ("pthread_mutex_lock (thread): %d", ret);
+
+  while (true)
+    {
+      if (func_sent != NULL)
+	{
+	  void (*func) (void) = func_sent;
+	  ret = pthread_mutex_unlock (&mutex);
+	  if (ret != 0)
+	    FAIL ("pthread_mutex_unlock (thread): %d", ret);
+	  func ();
+	  ret = pthread_mutex_lock (&mutex);
+	  if (ret != 0)
+	    FAIL ("pthread_mutex_lock (thread): %d", ret);
+	  func_sent = NULL;
+	  ret = pthread_cond_signal (&cond_recv);
+	  if (ret != 0)
+	    FAIL ("pthread_cond_signal (recv): %d", ret);
+	}
+      ret = pthread_cond_wait (&cond_send, &mutex);
+      if (ret != 0)
+	FAIL ("pthread_cond_wait (send): %d", ret);
+    }
+  return NULL;
+}
+
+static void
+run_on_thread (void (*func) (void))
+{
+  int ret = pthread_mutex_lock (&mutex);
+  if (ret != 0)
+    FAIL ("pthread_mutex_lock (%s): %d", __func__, ret);
+  func_sent = func;
+  ret = pthread_mutex_unlock (&mutex);
+  if (ret != 0)
+    FAIL ("pthread_mutex_unlock (%s): %d", __func__, ret);
+
+  ret = pthread_cond_signal (&cond_send);
+  if (ret != 0)
+    FAIL ("pthread_mutex_lock (%s): %d", __func__, ret);
+
+  ret = pthread_mutex_lock (&mutex);
+  if (ret != 0)
+    FAIL ("pthread_mutex_lock (%s): %d", __func__, ret);
+
+  while (func_sent != NULL)
+    {
+      ret = pthread_cond_wait (&cond_recv, &mutex);
+      if (ret != 0)
+	FAIL ("pthread_mutex_wait (%s): %d", __func__, ret);
+    }
+  ret = pthread_mutex_unlock (&mutex);
+  if (ret != 0)
+    FAIL ("pthread_mutex_unlock (%s): %d", __func__, ret);
+}
+
+static void
+change_thread_ids (void)
+{
+  long ret = syscall (__NR_setresuid, 2001, 2002, 2003);
+  if (ret != 0)
+    FAIL ("setresuid (2001, 2002, 2003): %ld", ret);
+}
+
+static uid_t ruid, euid, suid;
+
+static void
+get_thread_ids (void)
+{
+  if (getresuid (&ruid, &euid, &suid) < 0)
+    FAIL ("getresuid: %m (%d)", errno);
+}
+
+static void
+abort_expected (int signal __attribute__ ((unused)))
+{
+  _exit (0);
+}
+
+static int
+do_test (void)
+{
+  pthread_t thread;
+  int ret = pthread_create (&thread, NULL, thread_func, NULL);
+  if (ret != 0)
+    FAIL ("pthread_create: %d", ret);
+
+  run_on_thread (change_thread_ids);
+
+  signal (SIGABRT, &abort_expected);
+  /* This should abort the process.  */
+  if (setresuid (1001, 1002, 1003) < 0)
+    FAIL ("setresuid: %m (%d)", errno);
+  signal (SIGABRT, SIG_DFL);
+
+  /* If we get here, check that the kernel did the right thing. */
+  run_on_thread (get_thread_ids);
+  if (ruid != 1001 || euid != 1002 || euid != 1003)
+    FAIL ("unexpected UIDs after setuid: %ld, %ld, %ld",
+	  (long) ruid, (long) euid, (long) suid);
+  return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"