| commit | f5acfe67238a331bf8a6e94715163949999f27e7 | |
| author | Nick Mathewson <nickm@torproject.org> | |
| Fri, 7 May 2021 16:09:41 +0000 (7 12:09 -0400) | ||
| committer | Nick Mathewson <nickm@torproject.org> | |
| Fri, 7 May 2021 16:12:11 +0000 (7 12:12 -0400) | ||
| tree | 1a62e226784d301eb97ac464c3076702ef28174d | treesnapshot (tar.gz zip) |
| parent | 7c86f34340acf7d8cf35501e71b03f2feba1245e | commitdiff |
Add a sandbox workaround for Glibc 2.33
This change permits the newfstatat() system call, and fixes issues
40382 (and 40381).
This isn't a free change. From the commit:
// Libc 2.33 uses this syscall to implement both fstat() and stat().
//
// The trouble is that to implement fstat(fd, &st), it calls:
// newfstatat(fs, "", &st, AT_EMPTY_PATH)
// We can't detect this usage in particular, because "" is a pointer
// we don't control. And we can't just look for AT_EMPTY_PATH, since
// AT_EMPTY_PATH only has effect when the path string is empty.
//
// So our only solution seems to be allowing all fstatat calls, which
// means that an attacker can stat() anything on the filesystem. That's
// not a great solution, but I can't find a better one.
This change permits the newfstatat() system call, and fixes issues
40382 (and 40381).
This isn't a free change. From the commit:
// Libc 2.33 uses this syscall to implement both fstat() and stat().
//
// The trouble is that to implement fstat(fd, &st), it calls:
// newfstatat(fs, "", &st, AT_EMPTY_PATH)
// We can't detect this usage in particular, because "" is a pointer
// we don't control. And we can't just look for AT_EMPTY_PATH, since
// AT_EMPTY_PATH only has effect when the path string is empty.
//
// So our only solution seems to be allowing all fstatat calls, which
// means that an attacker can stat() anything on the filesystem. That's
// not a great solution, but I can't find a better one.
| changes/ticket40382 | [new file with mode: 0644] | blob |
| src/lib/sandbox/sandbox.c | diffblobblamehistory |