On 2024/10/23 22:08, Benjamin Berg wrote:
[...]
> diff --git a/arch/um/os-Linux/skas/process.c b/arch/um/os-Linux/skas/process.c
> index c663b67c3fd3..a29957e021f3 100644
> --- a/arch/um/os-Linux/skas/process.c
> +++ b/arch/um/os-Linux/skas/process.c
> @@ -16,6 +16,7 @@
> #include <sys/mman.h>
> #include <sys/wait.h>
> #include <sys/stat.h>
> +#include <sys/socket.h>
> #include <asm/unistd.h>
> #include <as-layout.h>
> #include <init.h>
> @@ -153,7 +154,39 @@ void wait_stub_done_seccomp(struct mm_id *mm_idp, int
> running, int wait_sigsys)
> int ret;
>
> do {
> + const char byte = 0;
> + struct iovec iov = {
> + .iov_base = (void *)&byte,
> + .iov_len = sizeof(byte),
> + };
> + union {
> + char data[CMSG_SPACE(sizeof(mm_idp->syscall_fd_map))];
> + struct cmsghdr align;
> + } ctrl;
> + struct msghdr msgh = {
> + .msg_iov = &iov,
> + .msg_iovlen = 1,
> + };
> +
> if (!running) {
> + if (mm_idp->syscall_fd_num) {
> + unsigned int fds_size =
> + sizeof(int) * mm_idp->syscall_fd_num;
> + struct cmsghdr *cmsg;
> +
> + msgh.msg_control = ctrl.data;
> + msgh.msg_controllen = CMSG_SPACE(fds_size);
> + cmsg = CMSG_FIRSTHDR(&msgh);
> + cmsg->cmsg_level = SOL_SOCKET;
> + cmsg->cmsg_type = SCM_RIGHTS;
> + cmsg->cmsg_len = CMSG_LEN(fds_size);
> + memcpy(CMSG_DATA(cmsg), mm_idp->syscall_fd_map,
> + fds_size);
It looks the memcpy could trigger a crash when UML_SECCOMP is enabled:
Run /sbin/init as init process
*** buffer overflow detected ***: terminated
Thread 1 "linux" received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737353807680) at
./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737353807680)
at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737353807680) at
./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737353807680, signo=signo@entry=6) at
./nptl/pthread_kill.c:89
#3 0x00007ffff7c42476 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#4 0x00007ffff7c287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7c89676 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7ddb92e "*** %s ***: terminated\n") at
../sysdeps/posix/libc_fatal.c:155
#6 0x00007ffff7d3659a in __GI___fortify_fail (msg=msg@entry=0x7ffff7ddb8d4
"buffer overflow detected") at ./debug/fortify_fail.c:26
#7 0x00007ffff7d34f16 in __GI___chk_fail () at ./debug/chk_fail.c:28
#8 0x00000000600376ee in memcpy (__len=4, __src=<optimized out>,
__dest=0xe0803e60) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#9 wait_stub_done_seccomp (mm_idp=mm_idp@entry=0x608e69e0, running=<optimized
out>, running@entry=0, wait_sigsys=wait_sigsys@entry=0) at
arch/um/os-Linux/skas/process.c:183
#10 0x0000000060037cc6 in userspace (regs=0x60828788) at
arch/um/os-Linux/skas/process.c:605
#11 0x00000000600228c1 in new_thread_handler () at arch/um/kernel/process.c:119
It can be fixed with changes like below on my machine:
diff --git a/arch/um/include/shared/skas/mm_id.h
b/arch/um/include/shared/skas/mm_id.h
index f2d4c383c958..26d922443454 100644
--- a/arch/um/include/shared/skas/mm_id.h
+++ b/arch/um/include/shared/skas/mm_id.h
@@ -6,6 +6,8 @@
#ifndef __MM_ID_H
#define __MM_ID_H
+#include <linux/kconfig.h>
+
#ifdef CONFIG_UML_SECCOMP
#define STUB_MAX_FDS 4
#else
Regards,
Tiwei
