Mail Archives: cygwin/2025/01/15/05:03:03

Mark Geisert via Cygwin <cygwin AT cygwin DOT com> · Wed, 15 Jan 2025 02:01:51 -0800

Hi Christian,

On 1/14/2025 7:37 AM, Christian Franke via Cygwin wrote:
> Found with 'stress-ng --mq 1 -v':
> 
> If an invalid fd is passed to mq_send() and other mq_* functions, a 
> segfault occurs instead of returning -1 with errno=EBADF. Depending on 
> optimization, the segfault is not visible in the exit status.
> 
> Testcase:
> 
> $ uname -r
> 3.5.5-1.x86_64
> 
> $ gcc --version
> gcc (GCC) 12.4.0
> ...
> 
> $ cat mqbadfd.c
> #include <mqueue.h>
> #include <stdio.h>
> 
> int main()
> {
>    printf("mq_send:\n"); fflush(stdout);
>    int ret = mq_send(-1, "FOO", 3, 1);
>    printf("ret = %d\n", ret); fflush(stdout);
>    return 42;
> }
> 
> $ gcc -o mqbadfd mqbadfd.c
> 
> $ ./mqbadfd; echo $?
> mq_send:
> 0
> 
> $ gcc -o mqbadfd2 -O2 mqbadfd.c
> 
> $ ./mqbadfd2; echo $?
> mq_send:
> Segmentation fault
> 139
> 
> $ strace ./mqbadfd
> ...
>    111   49460 [main] mqbadfd 23013 fhandler_console::write: 9 = 
> fhandler_console::write(...)
>     39   49499 [main] mqbadfd 23013 write: 9 = write(1, 0xA00017790, 9)
>    211   49710 [main] mqbadfd 23013 __set_errno: 
> cygheap_fdget::cygheap_fdget(int, bool, bool):631 setting errno 9
> --- Process 15116 (pid: 23013), exception c0000005 at 00007ffc766fc71e
> --- Process 15116 (pid: 23013) thread 4672 exited with status 0xc0000005
> --- Process 15116 thread 12184 exited with status 0xc0000005
> --- Process 15116 thread 16828 exited with status 0xc0000005
> --- Process 15116 thread 16892 exited with status 0xc0000005
> --- Process 15116 exited with status 0xc0000005
> Segmentation fault
> 
> $ strace ./mqbadfd2
> ...
>    170   22096 [main] mqbadfd2 23017 write: 9 = write(1, 0xA00017790, 9)
>     71   22167 [main] mqbadfd2 23017 __set_errno: 
> cygheap_fdget::cygheap_fdget(int, bool, bool):631 setting errno 9
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
>     58   22225 [main] mqbadfd2 23017 exception::handle: In 
> cygwin_except_handler exception 0xC0000005 at 0x7FFC766FC71E sp 0x7FFFFCB30
>     25   22250 [main] mqbadfd2 23017 exception::handle: In 
> cygwin_except_handler signal 11 at 0x7FFC766FC71E
>     38   22288 [main] mqbadfd2 23017 break_here: break here
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> ... [infinite loop - strace needs to be terminated by task manager]
> 
> 
> Same if -fstack-protector-strong is added.

Thanks for the report and testcase.  It appears the mq_*() functions are 
missing a validation step.  I'll submit a patch shortly.

..mark

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 50FA33Sj3781345
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 50FA33Sj3781345
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=TK2O4rIK
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 17ACF385DDC9
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1736935381;
	bh=cd7QPEz6cWRgOJkOp+hiAPI+o19xEC01QPO/+KrAQyU=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=TK2O4rIK3knwEyr5/WGV+xJ1BpHPNyMPLXQFj9yQbQ+C5Yr+caDg+fh9jVWCtT1eV
	blAQLMIITFnDN8YL5KpcdFRJl3ynldJfAxX6LnfY/FHEpTf+2reRtbAG7nW3FUagQa
	IX9pWAFMsUVIQ/m1qdVrY3utU70J9wuM5bLKLCZE=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 8497A385DC29
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 8497A385DC29
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1736935319; cv=none;
	b=GgQXj7JMB8DvX3mlJASL7XCzmCNlNrXPG3tU3v6EUE3dOx3uYvBXhUe7wOXM1QCzQHaMsknuJKXXgo/RZoNfTUtIGvHA5e1ue//lt+eaaLGujLFd3dHsEDF/cdw1NSypTrQOqEedVABixjZJVXTTp1CYxDzb40pSuytY1Tw7pRo=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1736935319; c=relaxed/simple;
	bh=0h3r0z7ihrMErd9X5Sg4NfNHFhHi1pxXdRlixnLHkZg=;
	h=Message-ID:Date:MIME-Version:Subject:To:From;
	b=ICVXGKhrBObUVJy1RGOCTf335Op45MR9Whk1DQZYQoglkmIR4f9aVZdhK7ld9M/N3sSKz6ExyvuGqKG9sUeb6FVMIeYMU+wghtM5nPOpwQozmN7LJISG/ImI0OWAQoYlFqSVxI3Ir1pI6eq1swOsWw7hbUwcnAVQ4n5XIu07xo8=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 8497A385DC29
Message-ID:	<e7a19a0b-d9e4-48b8-9e6f-6ccf061d2d0a@maxrnd.com>
Date:	Wed, 15 Jan 2025 02:01:51 -0800
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: mq_send(-1, ...) segfaults instead of failing with EBADF
To:	cygwin AT cygwin DOT com
References:	<94f6c13a-e58d-0123-40c6-3f8f9a5d2d6f AT t-online DOT de>
In-Reply-To:	<94f6c13a-e58d-0123-40c6-3f8f9a5d2d6f@t-online.de>
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Mark Geisert via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Mark Geisert <mark AT maxrnd DOT com>
Errors-To:	cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 50FA33Sj3781345

webmaster	delorie software privacy
Copyright � 2019 by DJ Delorie	Updated Jul 2019