GNU bug report logs - #30918
mv: don't use syscall() to call renameat2()

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: coreutils; Severity: wishlist; Reported by: Ross Burton <ross@HIDDEN>; dated Fri, 23 Mar 2018 18:17:01 UTC; Maintainer for coreutils is bug-coreutils@HIDDEN.
Changed bug title to 'mv: don't use syscall() to call renameat2()' from 'Don't use syscall() to call renameat2()' Request was from Assaf Gordon <assafgordon@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Severity set to 'wishlist' from 'normal' Request was from Assaf Gordon <assafgordon@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 26 Mar 2018 01:52:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 25 21:52:55 2018
Received: from localhost ([127.0.0.1]:53337 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1f0HJf-0000FZ-1v
	for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 21:52:55 -0400
Received: from eggs.gnu.org ([208.118.235.92]:37792)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <seebs@HIDDEN>) id 1f0HJd-0000FM-2K
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 21:52:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <seebs@HIDDEN>) id 1f0HJX-0007e3-19
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 21:52:47 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:47200)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <seebs@HIDDEN>) id 1f0HJW-0007dx-Tn
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 21:52:46 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56988)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <seebs@HIDDEN>) id 1f0HJV-0003hA-GN
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 21:52:46 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <seebs@HIDDEN>) id 1f0HJQ-0007Zm-MJ
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 21:52:45 -0400
Received: from mail.seebs.net ([162.213.38.76]:32500)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <seebs@HIDDEN>) id 1f0HJQ-0007Yn-FW
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 21:52:40 -0400
Received: from seebsdell (unknown [24.196.59.174])
 by mail.seebs.net (Postfix) with ESMTPSA id 917E92E8922;
 Sun, 25 Mar 2018 20:52:37 -0500 (CDT)
Date: Sun, 25 Mar 2018 20:52:32 -0500
From: Seebs <seebs@HIDDEN>
To: Paul Eggert <eggert@HIDDEN>
Subject: Re: bug#30918: Don't use syscall() to call renameat2()
Message-ID: <20180325205232.47d1b1dc@seebsdell>
In-Reply-To: <768fd2df-52d4-6302-a271-bc1d937b5da8@HIDDEN>
References: <1521972948.11431.53.camel@HIDDEN>
 <20180325093706.56d4e65f@seebsdell>
 <768fd2df-52d4-6302-a271-bc1d937b5da8@HIDDEN>
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-detected-operating-system: by eggs.gnu.org: FreeBSD 9.x [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.4 (----)
X-Debbugs-Envelope-To: submit
Cc: Richard Purdie <richard.purdie@HIDDEN>, bug-coreutils@HIDDEN,
 Burton Ross <ross.burton@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.4 (----)

On Sun, 25 Mar 2018 18:20:56 -0700
Paul Eggert <eggert@HIDDEN> wrote:

> Seebs wrote:
> > I have significant concerns about the feasibility of a generic
> > wrapper for syscall(). In particular, a "wrapper" which does
> > *nothing* but forward arguments may well be practical. Or one which
> > just fails immediately and claims ENOTSUPP -- but this creates the
> > risk that we'll break things which were using perfectly valid
> > syscalls which work fine and which we don't need to intercept or do
> > anything with.
> 
> For this particular issue, failing with ENOTSUPP should do. Perhaps
> such a behavior could be available as a link-time or runtime option.
> 
> More precise would be to have syscall to do nothing but forward
> arguments, *except* for the renameat2 syscall which would work much
> like the renameat wrapper that I assume you already have. This would
> work for coreutils, shouldn't break anything else, shouldn't require
> a link-time or runtime option, and shouldn't be that much harder than
> always forwarding syscall arguments.

We actually hadn't added a wrapper for it; so far as I can tell, no
one's ever used it before. (Or at least, no one's ever used it in such
a way that failing to catch it was causing detectable issues.) It's on
my list now that I've seen an actual program attempting to use it.

And I don't think it's that simple; as noted, I'm not convinced that
a function written in C can reliably interpret the arguments of some
syscalls across targets. (renameat2 may not be one of those affected.)
For instance, as noted in the man page, if I wanted to try to interpret
the arguments passed to SYS_readahead, I'd have to do things differently
for EABI ARM than I would for x86. That's a degree of additional magic
not previously present in any of the wrappers, perhaps surprisingly.

I haven't got a MIPS machine handy to go look, but the kind of thing
I'm concerned about is the description from syscall(2):

>       On a few architectures, a register is used to indicate simple
>       boolean failure of the system call:  ia64 uses r10 for this
>       purpose, and mips uses a3.

If I'm writing a wrapper in C, I can't preserve that value, but I have
to make *other* system calls before and after calling the underlying
wrapper.

So if it's the case that, after a call into syscall(), some value has
been stored in register a3 on MIPS... There's nothing I can write in
C that will preserve that value for my caller, and the other system
calls I make after the call to the "real" syscall() may overwrite it.
So the caller will get the wrong value, and if they were assuming that
syscall() would perform as expected...

This function may actually be Too Magic to sanely wrap. I think this is
the only library function I've ever seen document a need to insert an
unused argument between two arguments, but only for a specific ABI.

(We do have a couple of arch-specific hooks, but they're at the level
of "which compatibility version to specify for a particular function".)

-s




Information forwarded to bug-coreutils@HIDDEN:
bug#30918; Package coreutils. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 26 Mar 2018 01:21:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 25 21:21:17 2018
Received: from localhost ([127.0.0.1]:53320 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1f0Gp3-0007xD-CK
	for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 21:21:17 -0400
Received: from eggs.gnu.org ([208.118.235.92]:54695)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@HIDDEN>) id 1f0Gp1-0007wy-M6
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 21:21:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <eggert@HIDDEN>) id 1f0Gov-00043K-GY
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 21:21:10 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:52250)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <eggert@HIDDEN>) id 1f0Gov-00043E-Cw
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 21:21:09 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45665)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <eggert@HIDDEN>) id 1f0Gou-0004U1-3U
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 21:21:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <eggert@HIDDEN>) id 1f0Goq-00041P-4t
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 21:21:08 -0400
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:37124)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <eggert@HIDDEN>) id 1f0Gop-0003ys-Ve
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 21:21:04 -0400
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 09B6D160F9F;
 Sun, 25 Mar 2018 18:21:01 -0700 (PDT)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id hygKdES-LrZs; Sun, 25 Mar 2018 18:21:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 466DC1611D3;
 Sun, 25 Mar 2018 18:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id JajuKdn1uxE1; Sun, 25 Mar 2018 18:21:00 -0700 (PDT)
Received: from [192.168.1.9] (unknown [47.154.30.119])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 202CD160F9F;
 Sun, 25 Mar 2018 18:21:00 -0700 (PDT)
Subject: Re: bug#30918: Don't use syscall() to call renameat2()
To: Seebs <seebs@HIDDEN>,
 Richard Purdie <richard.purdie@HIDDEN>
References: <1521972948.11431.53.camel@HIDDEN>
 <20180325093706.56d4e65f@seebsdell>
From: Paul Eggert <eggert@HIDDEN>
Organization: UCLA Computer Science Department
Message-ID: <768fd2df-52d4-6302-a271-bc1d937b5da8@HIDDEN>
Date: Sun, 25 Mar 2018 18:20:56 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180325093706.56d4e65f@seebsdell>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
Cc: bug-coreutils@HIDDEN, Burton Ross <ross.burton@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.0 (----)

Seebs wrote:
> I have significant concerns about the feasibility of a generic wrapper
> for syscall(). In particular, a "wrapper" which does *nothing* but
> forward arguments may well be practical. Or one which just fails
> immediately and claims ENOTSUPP -- but this creates the risk that we'll
> break things which were using perfectly valid syscalls which work fine
> and which we don't need to intercept or do anything with.

For this particular issue, failing with ENOTSUPP should do. Perhaps such =
a=20
behavior could be available as a link-time or runtime option.

More precise would be to have syscall to do nothing but forward arguments=
,=20
*except* for the renameat2 syscall which would work much like the renamea=
t=20
wrapper that I assume you already have. This would work for coreutils, sh=
ouldn't=20
break anything else, shouldn't require a link-time or runtime option, and=
=20
shouldn't be that much harder than always forwarding syscall arguments.

> I'm assuming the race condition refers to the behavior of
> RENAME_EXCHANGE.

No, it's RENAME_NOREPLACE. Coreutils doesn't use RENAME_EXCHANGE now (tho=
ugh it=20
might in the future, I suppose).




Information forwarded to bug-coreutils@HIDDEN:
bug#30918; Package coreutils. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 25 Mar 2018 17:12:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 25 13:12:55 2018
Received: from localhost ([127.0.0.1]:53148 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1f09CQ-0004ka-Dw
	for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 13:12:55 -0400
Received: from eggs.gnu.org ([208.118.235.92]:60574)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <seebs@HIDDEN>) id 1f06lz-0007br-Jg
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 10:37:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <seebs@HIDDEN>) id 1f06lt-0003gV-1K
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 10:37:22 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:55501)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <seebs@HIDDEN>) id 1f06ls-0003gN-Tk
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 10:37:20 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51528)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <seebs@HIDDEN>) id 1f06lr-0004mq-Fg
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 10:37:20 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <seebs@HIDDEN>) id 1f06lm-0003aq-EH
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 10:37:19 -0400
Received: from mail.seebs.net ([162.213.38.76]:27731)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <seebs@HIDDEN>) id 1f06lm-0003Yi-5g
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 10:37:14 -0400
Received: from seebsdell (unknown [24.196.59.174])
 by mail.seebs.net (Postfix) with ESMTPSA id 361542E892B;
 Sun, 25 Mar 2018 09:37:11 -0500 (CDT)
Date: Sun, 25 Mar 2018 09:37:06 -0500
From: Seebs <seebs@HIDDEN>
To: Richard Purdie <richard.purdie@HIDDEN>
Subject: Re: bug#30918: Don't use syscall() to call renameat2()
Message-ID: <20180325093706.56d4e65f@seebsdell>
In-Reply-To: <1521972948.11431.53.camel@HIDDEN>
References: <1521972948.11431.53.camel@HIDDEN>
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: FreeBSD 9.x [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.4 (----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Sun, 25 Mar 2018 13:12:53 -0400
Cc: eggert@HIDDEN, bug-coreutils@HIDDEN,
 Burton Ross <ross.burton@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.4 (----)

On Sun, 25 Mar 2018 11:15:48 +0100
Richard Purdie <richard.purdie@HIDDEN> wrote:

> > On 03/23/2018 10:38 AM, Ross Burton wrote:
> > > Please consider changing renameat2.c so that it doesn't hit=C2=A0
> > > syscall() if the wrapper isn't available.
> >=C2=A0
> > That would reintroduce race-condition security holes in the
> > ordinary build of GNU Coreutils on GNU/Linux, which would not be a
> > good thing. Instead, how about fixing fakeroot so that it traps
> > 'syscall' and fails with errno =3D=3D ENOTSUP? Better yet, fix fakeroot
> > so that it implements the renameat2 semantics with that syscall.
> > (Or even better, add renameat2 to both glibc and fakeroot. :-)
>=20
> I've just had a look at this situation and its not as simple as it may
> first appear. The function prototype for syscall() in posix/unistd.h
> is:
>=20
> extern long int syscall (long int __sysno, ...)
>=20
> and the implementation in glibc is in assembler for each architecture.
> The syscall(2) man page also gives a little bit more of a hint of the
> challenges in the syscall() function with register splits and
> alignment along with different forms of error handling. You can call
> it with varying numbers of options and the register usage needs to be
> tightly controlled, its not a "normal" function where standard
> function calling conventions will always work.
>=20
> So yes, we could add a wrapper in pseudo however we're likely going to
> have to end up using assembler to avoid smashing the calling stack in
> the general case. That would be on a per architecture basis and comes
> with all the complexities that brings.
>=20
> I'd therefore like to add my own plea to figure out and use some glibc
> API for this even if we have to establish it.

I have significant concerns about the feasibility of a generic wrapper
for syscall(). In particular, a "wrapper" which does *nothing* but
forward arguments may well be practical. Or one which just fails
immediately and claims ENOTSUPP -- but this creates the risk that we'll
break things which were using perfectly valid syscalls which work fine
and which we don't need to intercept or do anything with.

But if we don't want to break code which is using syscall() for other
operations, we would have to (1) successfully forward all system calls
*and* handle their returns, (2) also intercept specific cases and
modify their parameters. Which requires us to *comprehend* their
parameters. For instance, in the pseudo environment, we may be
virtualizing a chroot() operation, so a literal renameat2() argument of
"/a" gets translated into "/chroot/path/a" before it gets handed to the
kernel.

Take a look at the man page for syscall(2), and consider what we have
to do if we want to *handle* the arguments in any way. For instance, if
we needed to intercept SYS_readahead on EABI (we wouldn't, but it's
the example they give in the man page), we'd have to process arguments
completely differently from if we were processing it on x86. I am not
sure whether there's parallel concerns for 64-bit pointers on a 64-bit
ARM system. I would also have concerns about the "sets registers to
indicate success" behavior; wrapper functions are going to make *other
system calls* after calling the underlying syscall, so things like that
could (and in that case, I think probably would) get smashed by the
later syscalls.

I'm assuming the race condition refers to the behavior of
RENAME_EXCHANGE. I hadn't seen that before, and I don't know of an
existing mv(1) usage which would use it, but it does seem an
exceptionally desireable thing to have available. On the other hand,
I'm not sure it's technically *possible* to fix this in pseudo.
(I'm aware that pseudo as a whole is well past the realm of "merely
undefined" behavior and into "why would you do that, what's wrong with
you", but we haven't been able to make the requirement go away.)

I will be adding a wrapper for renameat2() to pseudo, but I can't make
glibc change its behavior so quickly.

(And now that I look more closely at the flags, supporting
RENAME_EXCHANGE will require more complicated effort than I'd initially
realized.)

-s




Information forwarded to bug-coreutils@HIDDEN:
bug#30918; Package coreutils. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 25 Mar 2018 13:30:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 25 09:30:17 2018
Received: from localhost ([127.0.0.1]:52220 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1f05iy-0005s5-Le
	for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 09:30:17 -0400
Received: from eggs.gnu.org ([208.118.235.92]:59575)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard.purdie@HIDDEN>)
 id 1f02hC-0005RR-Jy
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 06:16:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <richard.purdie@HIDDEN>)
 id 1f02h6-0004Uh-DS
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 06:16:09 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:36141)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <richard.purdie@HIDDEN>)
 id 1f02h6-0004UZ-9T
 for submit <at> debbugs.gnu.org; Sun, 25 Mar 2018 06:16:08 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50543)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <richard.purdie@HIDDEN>)
 id 1f02h5-00048b-88
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 06:16:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <richard.purdie@HIDDEN>)
 id 1f02h2-0004Pp-3P
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 06:16:07 -0400
Received: from 5751f4a1.skybroadband.com ([87.81.244.161]:55889
 helo=dan.rpsys.net)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <richard.purdie@HIDDEN>)
 id 1f02h1-0004N4-RJ
 for bug-coreutils@HIDDEN; Sun, 25 Mar 2018 06:16:04 -0400
Received: from hex ([192.168.3.34]) (authenticated bits=0)
 by dan.rpsys.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id w2PAFmhd030946
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
 Sun, 25 Mar 2018 11:15:49 +0100
Message-ID: <1521972948.11431.53.camel@HIDDEN>
Subject: bug#30918: Don't use syscall() to call renameat2()
From: Richard Purdie <richard.purdie@HIDDEN>
To: eggert@HIDDEN, bug-coreutils@HIDDEN, Burton Ross
 <ross.burton@HIDDEN>, Seebs <seebs@HIDDEN>
Date: Sun, 25 Mar 2018 11:15:48 +0100
In-Reply-To: 798fb45c-f35e-129d-b3f0-b34a378f6b7c@HIDDEN
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 
Mime-Version: 1.0
X-Virus-Scanned: clamav-milter 0.99.3 at dan
X-Virus-Status: Clean
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by dan.rpsys.net id
 w2PAFmhd030946
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Sun, 25 Mar 2018 09:30:15 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.0 (----)

> On 03/23/2018 10:38 AM, Ross Burton wrote:
> > Please consider changing renameat2.c so that it doesn't hit=C2=A0
> > syscall() if the wrapper isn't available.
>=C2=A0
> That would reintroduce race-condition security holes in the ordinary=C2=
=A0
> build of GNU Coreutils on GNU/Linux, which would not be a good=C2=A0
> thing. Instead, how about fixing fakeroot so that it traps 'syscall'=C2=
=A0
> and fails with errno =3D=3D ENOTSUP? Better yet, fix fakeroot so that i=
t=C2=A0
> implements the renameat2 semantics with that syscall. (Or even=C2=A0
> better, add renameat2 to both glibc and fakeroot. :-)

I've just had a look at this situation and its not as simple as it may
first appear. The function prototype for syscall() in posix/unistd.h
is:

extern long int syscall (long int __sysno, ...)

and the implementation in glibc is in assembler for each architecture.
The syscall(2) man page also gives a little bit more of a hint of the
challenges in the syscall() function with register splits and alignment
along with different forms of error handling. You can call it with
varying numbers of options and the register usage needs to be tightly
controlled, its not a "normal" function where standard function calling
conventions will always work.

So yes, we could add a wrapper in pseudo however we're likely going to
have to end up using assembler to avoid smashing the calling stack in
the general case. That would be on a per architecture basis and comes
with all the complexities that brings.

I'd therefore like to add my own plea to figure out and use some glibc
API for this even if we have to establish it.

Cheers,

Richard






Information forwarded to bug-coreutils@HIDDEN:
bug#30918; Package coreutils. Full text available.

Message received at 30918 <at> debbugs.gnu.org:


Received: (at 30918) by debbugs.gnu.org; 24 Mar 2018 21:06:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 24 17:06:39 2018
Received: from localhost ([127.0.0.1]:51896 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ezqN5-0001K4-3l
	for submit <at> debbugs.gnu.org; Sat, 24 Mar 2018 17:06:39 -0400
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45194)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@HIDDEN>) id 1ezqN3-0001Jq-BA
 for 30918 <at> debbugs.gnu.org; Sat, 24 Mar 2018 17:06:38 -0400
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 65F6B1616AC;
 Sat, 24 Mar 2018 14:06:31 -0700 (PDT)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id JmolrmULkb7P; Sat, 24 Mar 2018 14:06:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id A48EC1616B5;
 Sat, 24 Mar 2018 14:06:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id cV3L6aNbnb6m; Sat, 24 Mar 2018 14:06:30 -0700 (PDT)
Received: from [192.168.1.9] (unknown [47.154.30.119])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 71C511616AC;
 Sat, 24 Mar 2018 14:06:30 -0700 (PDT)
Subject: Re: bug#30918: Don't use syscall() to call renameat2()
To: Clint Adams <clint@HIDDEN>
References: <CAAnfSTtzCpA3gLUsvmP-CeMPfn9t0Q_pXvOhicMS9Nd=DNv8+A@HIDDEN>
 <798fb45c-f35e-129d-b3f0-b34a378f6b7c@HIDDEN>
 <20180324210024.o3bszvlipkk37ipa@HIDDEN>
From: Paul Eggert <eggert@HIDDEN>
Organization: UCLA Computer Science Department
Message-ID: <b13cdd23-9771-29fa-60a7-1f1e2333732a@HIDDEN>
Date: Sat, 24 Mar 2018 14:06:30 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180324210024.o3bszvlipkk37ipa@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 30918
Cc: 30918 <at> debbugs.gnu.org, Ross Burton <ross@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Clint Adams wrote:
> What's keeping it out of glibc?

Sorry, don't know offhand. Mostly lack of time, I expect.




Information forwarded to bug-coreutils@HIDDEN:
bug#30918; Package coreutils. Full text available.

Message received at 30918 <at> debbugs.gnu.org:


Received: (at 30918) by debbugs.gnu.org; 24 Mar 2018 21:04:50 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 24 17:04:50 2018
Received: from localhost ([127.0.0.1]:51878 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ezqLJ-0001Fu-S1
	for submit <at> debbugs.gnu.org; Sat, 24 Mar 2018 17:04:50 -0400
Received: from thumb.scru.org ([104.200.20.71]:51776)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <clint@HIDDEN>) id 1ezqH3-00019p-Qr
 for 30918 <at> debbugs.gnu.org; Sat, 24 Mar 2018 17:00:26 -0400
Received: by thumb.scru.org (Postfix, from userid 1000)
 id CAE1B6255A; Sat, 24 Mar 2018 21:00:24 +0000 (UTC)
Date: Sat, 24 Mar 2018 21:00:24 +0000
From: Clint Adams <clint@HIDDEN>
To: Paul Eggert <eggert@HIDDEN>
Subject: Re: bug#30918: Don't use syscall() to call renameat2()
Message-ID: <20180324210024.o3bszvlipkk37ipa@HIDDEN>
References: <CAAnfSTtzCpA3gLUsvmP-CeMPfn9t0Q_pXvOhicMS9Nd=DNv8+A@HIDDEN>
 <798fb45c-f35e-129d-b3f0-b34a378f6b7c@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <798fb45c-f35e-129d-b3f0-b34a378f6b7c@HIDDEN>
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 30918
X-Mailman-Approved-At: Sat, 24 Mar 2018 17:04:48 -0400
Cc: 30918 <at> debbugs.gnu.org, Ross Burton <ross@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

On Fri, Mar 23, 2018 at 12:02:36PM -0700, Paul Eggert wrote:
> That would reintroduce race-condition security holes in the ordinary build
> of GNU Coreutils on GNU/Linux, which would not be a good thing. Instead, how
> about fixing fakeroot so that it traps 'syscall' and fails with errno ==
> ENOTSUP? Better yet, fix fakeroot so that it implements the renameat2
> semantics with that syscall. (Or even better, add renameat2 to both glibc
> and fakeroot. :-)

What's keeping it out of glibc?




Information forwarded to bug-coreutils@HIDDEN:
bug#30918; Package coreutils. Full text available.

Message received at 30918 <at> debbugs.gnu.org:


Received: (at 30918) by debbugs.gnu.org; 23 Mar 2018 19:02:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 23 15:02:45 2018
Received: from localhost ([127.0.0.1]:50004 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ezRxd-00039m-Bm
	for submit <at> debbugs.gnu.org; Fri, 23 Mar 2018 15:02:45 -0400
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45024)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@HIDDEN>) id 1ezRxb-00039a-PN
 for 30918 <at> debbugs.gnu.org; Fri, 23 Mar 2018 15:02:44 -0400
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 4873D16177F;
 Fri, 23 Mar 2018 12:02:38 -0700 (PDT)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id Ys10zy6MoJdk; Fri, 23 Mar 2018 12:02:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 929A8161774;
 Fri, 23 Mar 2018 12:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id joJZxnW9Fu6P; Fri, 23 Mar 2018 12:02:36 -0700 (PDT)
Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 6B89E16177F;
 Fri, 23 Mar 2018 12:02:36 -0700 (PDT)
Subject: Re: bug#30918: Don't use syscall() to call renameat2()
To: Ross Burton <ross@HIDDEN>, 30918 <at> debbugs.gnu.org, clint@HIDDEN
References: <CAAnfSTtzCpA3gLUsvmP-CeMPfn9t0Q_pXvOhicMS9Nd=DNv8+A@HIDDEN>
From: Paul Eggert <eggert@HIDDEN>
Organization: UCLA Computer Science Department
Message-ID: <798fb45c-f35e-129d-b3f0-b34a378f6b7c@HIDDEN>
Date: Fri, 23 Mar 2018 12:02:36 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CAAnfSTtzCpA3gLUsvmP-CeMPfn9t0Q_pXvOhicMS9Nd=DNv8+A@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 30918
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

On 03/23/2018 10:38 AM, Ross Burton wrote:
> Please consider
> changing renameat2.c so that it doesn't hit syscall() if the wrapper isn't
> available.

That would reintroduce race-condition security holes in the ordinary 
build of GNU Coreutils on GNU/Linux, which would not be a good thing. 
Instead, how about fixing fakeroot so that it traps 'syscall' and fails 
with errno == ENOTSUP? Better yet, fix fakeroot so that it implements 
the renameat2 semantics with that syscall. (Or even better, add 
renameat2 to both glibc and fakeroot. :-)





Information forwarded to bug-coreutils@HIDDEN:
bug#30918; Package coreutils. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 23 Mar 2018 18:16:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 23 14:16:15 2018
Received: from localhost ([127.0.0.1]:49984 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ezREb-00025T-JM
	for submit <at> debbugs.gnu.org; Fri, 23 Mar 2018 14:16:15 -0400
Received: from eggs.gnu.org ([208.118.235.92]:42986)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ross@HIDDEN>) id 1ezQeZ-0001Fe-6C
 for submit <at> debbugs.gnu.org; Fri, 23 Mar 2018 13:39:00 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ross@HIDDEN>) id 1ezQeS-0002tq-VK
 for submit <at> debbugs.gnu.org; Fri, 23 Mar 2018 13:38:53 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,HTML_MESSAGE,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:54522)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ross@HIDDEN>) id 1ezQeS-0002ta-Rk
 for submit <at> debbugs.gnu.org; Fri, 23 Mar 2018 13:38:52 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33951)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <ross@HIDDEN>) id 1ezQeR-0006Mg-Le
 for bug-coreutils@HIDDEN; Fri, 23 Mar 2018 13:38:52 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ross@HIDDEN>) id 1ezQeN-0002qt-Gz
 for bug-coreutils@HIDDEN; Fri, 23 Mar 2018 13:38:51 -0400
Received: from mail-ot0-x232.google.com ([2607:f8b0:4003:c0f::232]:38681)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <ross@HIDDEN>) id 1ezQeN-0002qC-BM
 for bug-coreutils@HIDDEN; Fri, 23 Mar 2018 13:38:47 -0400
Received: by mail-ot0-x232.google.com with SMTP id 95-v6so14101388ote.5
 for <bug-coreutils@HIDDEN>; Fri, 23 Mar 2018 10:38:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=burtonini-com.20150623.gappssmtp.com; s=20150623;
 h=mime-version:from:date:message-id:subject:to;
 bh=/m/Sp2Gq/oeffKrG0+z5YT1nLUCj2/UP2zeWxMRL76M=;
 b=MWssWTcqSv+k1lZRQw1Zq1MotVwBMITfde7LaiSJ7QoYpDzjvUXhy6h/82vqlH3AnB
 KTGHuPsN2o+ZGI5G3u7zae1BmkbjSHk+XjZOCZnOTVqa+5nqXAmeeOnCa9bYp+1vBCpO
 eol36LL4rNXkXXLQHgftkR6ctaAqH7CxI8vZBmfajTnQjn0OevUBSb62Zz8f2RdYPo0h
 x7WBG43dnK19AWbUcu6CpbTZOWdzneExEcIDv6p7COHPhSOtJ180AY/vLl2pBFCnapTF
 2c0TDVSVAeaCWyQ3TwtVjYeEwOvU62akkCVe7HrrznhGMSrfusSwFEhdIp3DlyqNSBZq
 yjRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=/m/Sp2Gq/oeffKrG0+z5YT1nLUCj2/UP2zeWxMRL76M=;
 b=ICvN1Jh8EaSjyOB92fGQVD8gL/j7a4THJzqUR0Q+UwjRJt8ZYI++V3t40Pd/jyarVU
 O4NY3V7nA1a/DV8tHG1H5YrXkNaeHeukXnu8afA98l8XqXghSwC/BkwbNhNHaAkBmTrX
 5YX3uaOGds6cyXAIm7Kl95OZTNEf99ANsx/ZFHASUiSXCzJgN6wI8i9hMM+6Z877vBez
 Kvmf1r81mYrT71sRaX3qBUP/vAtE69f2lkuvGdqmPaPKQBOCP/DNKnBbbuYqqRbl4FNw
 hHDEQS5RgRYzywo95QFON7MRZukNcGuosORq7n9Vm0DPjZCW81NkZ4HknOlG5X59dXYQ
 /J9A==
X-Gm-Message-State: AElRT7GTfkw6GYRhaRUh+0FwX8rqmHu6sN7TnQtzZyOB/AonZwih3o9U
 puO6W73NhdbjrZ2ALxJ9muuKcYGYm6qLOsaO2d9lUEdoht8=
X-Google-Smtp-Source: AIpwx49ZjRRmybWLx0cMP5onaB9Kmk6c0vti0VeX/tJdeGhX5n2ylRvnKQmSoR0hk9eLdLxCFT7+W2GdXTBIlnroX/k=
X-Received: by 2002:a9d:5697:: with SMTP id
 o23-v6mr4139478oth.345.1521826725965; 
 Fri, 23 Mar 2018 10:38:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.41.11 with HTTP; Fri, 23 Mar 2018 10:38:25 -0700 (PDT)
X-Originating-IP: [81.2.106.35]
From: Ross Burton <ross@HIDDEN>
Date: Fri, 23 Mar 2018 17:38:25 +0000
Message-ID: <CAAnfSTtzCpA3gLUsvmP-CeMPfn9t0Q_pXvOhicMS9Nd=DNv8+A@HIDDEN>
Subject: Don't use syscall() to call renameat2()
To: bug-coreutils@HIDDEN, clint@HIDDEN
Content-Type: multipart/alternative; boundary="000000000000694916056817e505"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Fri, 23 Mar 2018 14:16:11 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

--000000000000694916056817e505
Content-Type: text/plain; charset="UTF-8"

mv.c uses gnulib/renameat2.c to call renameat2(), which if the glibc
wrapper isn't available will just invoke syscall(SYS_renameat2). This may
seem like a good idea but considering a number of major distributions use
LD_PRELOAD to build as a pretend root user[1] these mv calls won't be
intercepted, and building will break in strange and interesting ways (such
as binaries not being owned by root:root anymore).  Please consider
changing renameat2.c so that it doesn't hit syscall() if the wrapper isn't
available.

Ross

[1] Debian and derivatives using fakeroot, OpenEmbedded derivatives using
pseudo, etc.

--000000000000694916056817e505
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">mv.c uses gnulib/renameat2.c to call renameat2(), which if=
 the glibc wrapper isn&#39;t available will just invoke syscall(SYS_renamea=
t2). This may seem like a good idea but considering a number of major distr=
ibutions use LD_PRELOAD to build as a pretend root user[1] these mv calls w=
on&#39;t be intercepted, and building will break in strange and interesting=
 ways (such as binaries not being owned by root:root anymore).=C2=A0 Please=
 consider changing renameat2.c so that it doesn&#39;t hit syscall() if the =
wrapper isn&#39;t available.<div><br></div><div>Ross</div><div><br></div><d=
iv>[1] Debian and derivatives using fakeroot, OpenEmbedded derivatives usin=
g pseudo, etc.</div></div>

--000000000000694916056817e505--




Acknowledgement sent to Ross Burton <ross@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-coreutils@HIDDEN. Full text available.
Report forwarded to bug-coreutils@HIDDEN:
bug#30918; Package coreutils. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.