diff options
author | Rich Felker <dalias@aerifal.cx> | 2015-01-15 23:17:38 -0500 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2015-01-15 23:17:38 -0500 |
commit | 78a8ef47c4d92b7680c52a85f80a81e29da86bb9 (patch) | |
tree | 1363937775b3086470251c8ad9c7f292ce9b6bd9 /src/env/clearenv.c | |
parent | 7152a61a3ab16eacd8ecb94b81641d76c78958b0 (diff) | |
download | musl-78a8ef47c4d92b7680c52a85f80a81e29da86bb9.tar.gz musl-78a8ef47c4d92b7680c52a85f80a81e29da86bb9.tar.bz2 musl-78a8ef47c4d92b7680c52a85f80a81e29da86bb9.tar.xz musl-78a8ef47c4d92b7680c52a85f80a81e29da86bb9.zip |
overhaul __synccall and fix AS-safety and other issues in set*id
multi-threaded set*id and setrlimit use the internal __synccall
function to work around the kernel's wrongful treatment of these
process properties as thread-local. the old implementation of
__synccall failed to be AS-safe, despite POSIX requiring setuid and
setgid to be AS-safe, and was not rigorous in assuring that all
threads were caught. in a worst case, threads late in the process of
exiting could retain permissions after setuid reported success, in
which case attacks to regain dropped permissions may have been
possible under the right conditions.
the new implementation of __synccall depends on the presence of
/proc/self/task and will fail if it can't be opened, but is able to
determine that it has caught all threads, and does not use any locks
except its own. it thereby achieves AS-safety simply by blocking
signals to preclude re-entry in the same thread.
with this commit, all known conformance and safety issues in set*id
functions should be fixed.
Diffstat (limited to 'src/env/clearenv.c')
0 files changed, 0 insertions, 0 deletions