From: Sana Kazi <[email protected]> pthread_setname_np opens the thread's comm file using O_RDWR, but the function only ever writes to it. This causes two distinct problems:
1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec, so it remains open across fork+exec. A child process that audits its inherited file-descriptor set will encounter an unexpected /proc fd it did not open and may treat this as a security violation and abort. 2. Unnecessary O_RDWR: requesting read+write access when only write access is needed can cause open() to fail under security policies that permit writing to /proc/<tid>/comm but deny reading it. Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC Similarly, updated pthread_getname_np to use O_CLOEXEC. Signed-off-by: Sana Kazi <[email protected]> --- .../glibc/glibc/0024-fix-fd-leaks.patch | 59 +++++++++++++++++++ meta/recipes-core/glibc/glibc_2.43.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch diff --git a/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch b/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch new file mode 100644 index 0000000000..989e55d473 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch @@ -0,0 +1,59 @@ +From 1cba6073e500c7bde9322a2f536fc0c308846c61 Mon Sep 17 00:00:00 2001 +From: Sana Kazi <[email protected]> +Date: Mon, 15 Jun 2026 16:37:59 +0200 +Subject: [PATCH] nptl: open threads comm with O_WRONLY|O_CLOEXEC + +pthread_setname_np opens the thread's comm file using O_RDWR, but the +function only ever writes to it. This causes two distinct problems: + +1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec, + so it remains open across fork+exec. A child process that audits + its inherited file-descriptor set will encounter an unexpected /proc + fd it did not open and may treat this as a security violation and + abort. + +2. Unnecessary O_RDWR: requesting read+write access when only write + access is needed can cause open() to fail under security policies + that permit writing to /proc/<tid>/comm but deny reading it. + +Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC + +Similarly, updated pthread_getname_np to use O_CLOEXEC. + +Bug-Id: 34192[https://sourceware.org/bugzilla/show_bug.cgi?id=34192] + +Signed-off-by: Sana Kazi <[email protected]> +Reviewed-by: Florian Weimer <[email protected]> +--- + nptl/pthread_getname.c | 2 +- + nptl/pthread_setname.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nptl/pthread_getname.c b/nptl/pthread_getname.c +index da23a13ba5..5261993d1f 100644 +--- a/nptl/pthread_getname.c ++++ b/nptl/pthread_getname.c +@@ -44,7 +44,7 @@ __pthread_getname_np (pthread_t th, char *buf, size_t len) + char fname[sizeof (FMT) + 8]; + sprintf (fname, FMT, (unsigned int) pd->tid); + +- int fd = __open64_nocancel (fname, O_RDONLY); ++ int fd = __open64_nocancel (fname, O_RDONLY | O_CLOEXEC); + if (fd == -1) + return errno; + +diff --git a/nptl/pthread_setname.c b/nptl/pthread_setname.c +index 62f4964fcc..f9a528c3d8 100644 +--- a/nptl/pthread_setname.c ++++ b/nptl/pthread_setname.c +@@ -46,7 +46,7 @@ __pthread_setname_np (pthread_t th, const char *name) + char fname[sizeof (FMT) + 8]; + sprintf (fname, FMT, (unsigned int) pd->tid); + +- int fd = __open64_nocancel (fname, O_RDWR); ++ int fd = __open64_nocancel (fname, O_WRONLY | O_CLOEXEC); + if (fd == -1) + return errno; + +-- +2.43.7 diff --git a/meta/recipes-core/glibc/glibc_2.43.bb b/meta/recipes-core/glibc/glibc_2.43.bb index b84c55ca17..d1892075ad 100644 --- a/meta/recipes-core/glibc/glibc_2.43.bb +++ b/meta/recipes-core/glibc/glibc_2.43.bb @@ -54,6 +54,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0020-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ file://0021-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch \ file://0022-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch \ + file://0024-fix-fd-leaks.patch \ " B = "${WORKDIR}/build-${TARGET_SYS}" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239419): https://lists.openembedded.org/g/openembedded-core/message/239419 Mute This Topic: https://lists.openembedded.org/mt/119948528/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
