From patchwork Mon Apr 28 12:03:02 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 722
Return-Path: <x14307373@homiemail-mx21.g.dreamhost.com>
X-Original-To: siddhesh@wilcox.dreamhost.com
Delivered-To: siddhesh@wilcox.dreamhost.com
Received: from homiemail-mx21.g.dreamhost.com
	(mx2.sub5.homie.mail.dreamhost.com [208.113.200.128])
	by wilcox.dreamhost.com (Postfix) with ESMTP id 010AA360072
	for <siddhesh@wilcox.dreamhost.com>;
	Mon, 28 Apr 2014 05:05:54 -0700 (PDT)
Received: by homiemail-mx21.g.dreamhost.com (Postfix, from userid 14307373)
	id 9C104148353A; Mon, 28 Apr 2014 05:05:54 -0700 (PDT)
X-Original-To: glibc@patchwork.siddhesh.in
Delivered-To: x14307373@homiemail-mx21.g.dreamhost.com
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by homiemail-mx21.g.dreamhost.com (Postfix) with ESMTPS id
	DDB33148352E for <glibc@patchwork.siddhesh.in>;
	Mon, 28 Apr 2014 05:05:53 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:date:subject:message-id; q=dns; s=
	default; b=AcFhHrgA/MRnxew+C/CG33lwzbJX8hrgR4vddY/aBZ5ow8o7gQMcW
	y+I/BM0hRamEOyqqKotwBkAahD0y3YPBg8GZNmmCHna1DBH7VfzXgCiXc0CcvFHq
	ryDOlqJckUd2tnGzXkTo1RLDA+U9KGlQKPAyO3on7JVS0pFrqCK5Ak=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:date:subject:message-id; s=default;
	bh=8h2/BIVWyxn5uZh5Eo/NcWVY3ks=; b=IGNcDwbzwdByFlhxIim8Q7s5g/ZD
	gY05BYs98uAy5lSp1PhBpPqV/Nyakx3uZWAeSW+8SR3O/sbUUb9I7+gbFX0RaiGp
	nDMserFQHAXS0DQgb4spqvMnOAZRCtqf07KRllGYGoKTzgZ+GxBx3wwyfC2qkHtP
	Ji3OpAEK5nfM9fw=
Received: (qmail 21489 invoked by alias); 28 Apr 2014 12:05:52 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-glibc=patchwork.siddhesh.in@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 21475 invoked by uid 89); 28 Apr 2014 12:05:51 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.9 required=5.0 tests=AWL, BAYES_00,
	RP_MATCHES_RCVD, SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
To: libc-alpha@sourceware.org
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 28 Apr 2014 14:03:02 +0200
Subject: [PATCH] nptl: Fix abort in case of set*id failure
Message-Id: <20140428120545.20B0643994596@oldenburg.str.redhat.com>
X-DH-Original-To: glibc@patchwork.siddhesh.in

If a call to the set*id functions fails in a multi-threaded program,
the abort introduced in commit 13f7fe35ae2b0ea55dc4b9628763aafdc8bdc30c
was triggered.

We address by checking that all calls to set*id on all threads give
the same result, and only abort if we see success followed by failure
(or vice versa).
---
 nptl/Makefile        |  1 +
 nptl/allocatestack.c | 26 +++++++++++++++++++++++++-
 nptl/descr.h         |  1 +
 nptl/nptl-init.c     |  9 ++++++---
 nptl/pthreadP.h      |  2 ++
 6 files changed, 46 insertions(+), 4 deletions(-)

2014-04-28  Florian Weimer  <fweimer@redhat.com>

	* nptl/pthreadP.h (__nptl_setxid_error): Declare function.
	* nptl/allocatestack.c (__nptl_setxid_error): New function.
	(__nptl_setxid): Initialize error member.  Call
	__nptl_setxid_error.
	* nptl/nptl-init.c (sighandler_setxid): Call __nptl_setxid_error.
	* nptl/descr.h (struct xid_command): Add error member.
	* nptl/tst-setuid3.c: New file.
	* nptl/Makefile (tests): Add it.

diff --git a/nptl/Makefile b/nptl/Makefile
index 2876224..5ee064c 100644
--- a/nptl/Makefile
+++ b/nptl/Makefile
@@ -269,6 +269,7 @@ tests = tst-typesizes \
 	tst-abstime \
 	tst-vfork1 tst-vfork2 tst-vfork1x tst-vfork2x \
 	tst-getpid1 tst-getpid2 tst-getpid3 \
+	tst-setuid3 \
 	tst-initializers1 $(patsubst %,tst-initializers1-%,c89 gnu89 c99 gnu99)
 xtests = tst-setuid1 tst-setuid1-static tst-setuid2 \
 	tst-mutexpp1 tst-mutexpp6 tst-mutexpp10
diff --git a/nptl/allocatestack.c b/nptl/allocatestack.c
index 1e22f7d..2d855bf 100644
--- a/nptl/allocatestack.c
+++ b/nptl/allocatestack.c
@@ -1061,6 +1061,25 @@ setxid_signal_thread (struct xid_command *cmdp, struct pthread *t)
     return 0;
 }
 
+/* Check for consistency across set*id system call results.  The abort
+   should not happen as long as all privileges changes happen through
+   the glibc wrappers.  ERROR must be 0 (no error) or an errno
+   code.  */
+void
+attribute_hidden
+__nptl_setxid_error (struct xid_command *cmdp, int error)
+{
+  do
+    {
+      int olderror = cmdp->error;
+      if (olderror == error)
+	break;
+      if (olderror != -1)
+	/* Mismatch between current and previous results.  */
+	abort ();
+    }
+  while (atomic_compare_and_exchange_bool_acq (&cmdp->error, error, -1));
+}
 
 int
 attribute_hidden
@@ -1072,6 +1091,7 @@ __nptl_setxid (struct xid_command *cmdp)
 
   __xidcmd = cmdp;
   cmdp->cntr = 0;
+  cmdp->error = -1;
 
   struct pthread *self = THREAD_SELF;
 
@@ -1157,9 +1177,13 @@ __nptl_setxid (struct xid_command *cmdp)
 				 cmdp->id[0], cmdp->id[1], cmdp->id[2]);
   if (INTERNAL_SYSCALL_ERROR_P (result, err))
     {
-      __set_errno (INTERNAL_SYSCALL_ERRNO (result, err));
+      int error = INTERNAL_SYSCALL_ERRNO (result, err);
+      __nptl_setxid_error (cmdp, error);
+      __set_errno (error);
       result = -1;
     }
+  else
+    __nptl_setxid_error (cmdp, 0);
 
   lll_unlock (stack_cache_lock, LLL_PRIVATE);
   return result;
diff --git a/nptl/descr.h b/nptl/descr.h
index 61d57d5..6738591 100644
--- a/nptl/descr.h
+++ b/nptl/descr.h
@@ -100,6 +100,7 @@ struct xid_command
   int syscall_no;
   long int id[3];
   volatile int cntr;
+  volatile int error; /* -1: no call yet, 0: success seen, >0: error seen.  */
 };
 
 
diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
index 2796dc5..86d9d77 100644
--- a/nptl/nptl-init.c
+++ b/nptl/nptl-init.c
@@ -249,9 +249,12 @@ sighandler_setxid (int sig, siginfo_t *si, void *ctx)
   result = INTERNAL_SYSCALL_NCS (__xidcmd->syscall_no, err, 3, __xidcmd->id[0],
 				 __xidcmd->id[1], __xidcmd->id[2]);
   if (__glibc_unlikely (INTERNAL_SYSCALL_ERROR_P (result, err)))
-    /* Safety check.  This should never happen if the setxid system
-       calls are only ever called through their glibc wrappers.  */
-    abort ();
+    {
+      int error = INTERNAL_SYSCALL_ERRNO (result, err);
+      __nptl_setxid_error (__xidcmd, error);
+    }
+  else
+    __nptl_setxid_error (__xidcmd, 0);
 
   /* Reset the SETXID flag.  */
   struct pthread *self = THREAD_SELF;
diff --git a/nptl/pthreadP.h b/nptl/pthreadP.h
index 197401a..94e7890 100644
--- a/nptl/pthreadP.h
+++ b/nptl/pthreadP.h
@@ -578,6 +578,8 @@ extern void _pthread_cleanup_pop_restore (struct _pthread_cleanup_buffer *buffer
 
 extern void __nptl_deallocate_tsd (void) attribute_hidden;
 
+extern void __nptl_setxid_error (struct xid_command *cmdp, int error)
+  attribute_hidden;
 extern int __nptl_setxid (struct xid_command *cmdp) attribute_hidden;
 #ifndef SHARED
 extern void __nptl_set_robust (struct pthread *self);