From patchwork Mon Mar 14 17:53:16 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sam James <sam@gentoo.org>
X-Patchwork-Id: 1605233
Return-Path: <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (1024-bit key;
 secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256
 header.s=default header.b=aPxc5r+b;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org
 (client-ip=8.43.85.97; helo=sourceware.org;
 envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org;
 receiver=<UNKNOWN>)
Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KHPNr1LVMz9sFq
	for <incoming@patchwork.ozlabs.org>; Tue, 15 Mar 2022 04:56:28 +1100 (AEDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 82965385842C
	for <incoming@patchwork.ozlabs.org>; Mon, 14 Mar 2022 17:56:25 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 82965385842C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1647280585;
	bh=NwmptmpOOjvypW/KS/UK2vUeCNZgrtQRLg+Dhe1IyqU=;
	h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=aPxc5r+bqYFhGbT2z2sCtkVn5E+9CTx8buX3iUx6puimpJZ7slbyE+vSW6GQRydKc
	 K9XsvVHs/ViMyQlCk/M0SiB5ioE7hfyDlxIdOpOW3tks+vPoHwgXY5bozM+ZFQ1Hy4
	 eYzzFgBhpfMUbfclsqHq5Cko5EtHgqJ+I2HaJTJ8=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
 by sourceware.org (Postfix) with ESMTP id 2A30C3857C48
 for <libc-alpha@sourceware.org>; Mon, 14 Mar 2022 17:56:08 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 2A30C3857C48
To: libc-alpha@sourceware.org
Subject: [PATCH v2 1/1] nss: return early in DB reload-and-get if newfstatat
 fails (BZ #28752)
Date: Mon, 14 Mar 2022 17:53:16 +0000
Message-Id: <20220314175316.3239120-2-sam@gentoo.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220314175316.3239120-1-sam@gentoo.org>
References: <20220314175316.3239120-1-sam@gentoo.org>
MIME-Version: 1.0
X-Spam-Status: No, score=-10.2 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,
 SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Sam James via Libc-alpha
 <libc-alpha@sourceware.org>
From: Sam James <sam@gentoo.org>
Reply-To: Sam James <sam@gentoo.org>
Cc: mozilla@gentoo.org, toolchain@gentoo.org
Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org>

In some circumstances, the __stat64_time64() call in
nss_database_check_reload_and_get() might fail (via e.g. newfstatat
being filtered by seccomp in parent).

We have to check its return value to avoid an out of bounds access later
on if the call failed.

This manifests as Firefox crashing at runtime when e.g. glib is
compiled with FAM support, which ends up taking this NSS path.

Bug: https://sourceware.org/pipermail/libc-help/2021-December/006061.html
Bug: https://bugs.gentoo.org/828070
Suggested-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Signed-off-by: Sam James <sam@gentoo.org>
---
 nss/nss_database.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/nss/nss_database.c b/nss/nss_database.c
index d56c5b798d..a0522ea7d2 100644
--- a/nss/nss_database.c
+++ b/nss/nss_database.c
@@ -424,17 +424,21 @@ nss_database_check_reload_and_get (struct nss_database_state *local,
      errors here are very unlikely, but the chance that we're entering
      a container is also very unlikely, so we err on the side of both
      very unlikely things not happening at the same time.  */
-  if (__stat64_time64 ("/", &str) != 0
-      || (local->root_ino != 0
-	  && (str.st_ino != local->root_ino
-	      ||  str.st_dev != local->root_dev)))
-    {
+  if (__stat64_time64 ("/", &str) != 0) {
+    __libc_lock_unlock (local->lock);
+    return false;
+  }
+
+  if (local->root_ino != 0 && (str.st_ino != local->root_ino
+                              || str.st_dev != local->root_dev))
+   {
       /* Change detected; disable reloading and return current state.  */
       atomic_store_release (&local->data.reload_disabled, 1);
       *result = local->data.services[database_index];
       __libc_lock_unlock (local->lock);
       return true;
     }
+
   local->root_ino = str.st_ino;
   local->root_dev = str.st_dev;
   __libc_lock_unlock (local->lock);