| Message ID | 20260622050835.985725-1-git-patches@bmwtechworks.in |
|---|---|
| State | New |
| Headers | show |
| Series | [poky,scarthgap] nptl: open threads comm with O_WRONLY|O_CLOEXEC | expand |
On Mon Jun 22, 2026 at 7:08 AM CEST, Sana Kazi via lists.openembedded.org wrote: > From: Sana Kazi <sana.kazi@bmwtechworks.in> > > pthread_setname_np opens the thread's comm file using O_RDWR, but the > function only ever writes to it. This causes two distinct problems: > > 1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec, > so it remains open across fork+exec. A child process that audits > its inherited file-descriptor set will encounter an unexpected /proc > fd it did not open and may treat this as a security violation and > abort. > 2. Unnecessary O_RDWR: requesting read+write access when only write > access is needed can cause open() to fail under security policies > that permit writing to /proc/<tid>/comm but deny reading it. > > Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC > Similarly, updated pthread_getname_np to use O_CLOEXEC. > > Signed-off-by: Sana Kazi <sana.kazi@bmwtechworks.in> > --- I see you sent that for master and scarthgap, but don't forget wrynose. I can't take that for scarthgap until there is an equivalent fix in wrynose. Regards, > .../glibc/glibc/0024-fix-fd-leaks.patch | 61 +++++++++++++++++++ > meta/recipes-core/glibc/glibc_2.39.bb | 1 + > 2 files changed, 62 insertions(+) > create mode 100644 meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch > > diff --git a/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch b/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch > new file mode 100644 > index 0000000000..633e52a8f9 > --- /dev/null > +++ b/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch > @@ -0,0 +1,61 @@ > +From 1cba6073e500c7bde9322a2f536fc0c308846c61 Mon Sep 17 00:00:00 2001 > +From: Sana Kazi <Sana.Kazi@bmwtechworks.in> > +Date: Mon, 15 Jun 2026 16:37:59 +0200 > +Subject: [PATCH] nptl: open threads comm with O_WRONLY|O_CLOEXEC > + > +pthread_setname_np opens the thread's comm file using O_RDWR, but the > +function only ever writes to it. This causes two distinct problems: > + > +1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec, > + so it remains open across fork+exec. A child process that audits > + its inherited file-descriptor set will encounter an unexpected /proc > + fd it did not open and may treat this as a security violation and > + abort. > + > +2. Unnecessary O_RDWR: requesting read+write access when only write > + access is needed can cause open() to fail under security policies > + that permit writing to /proc/<tid>/comm but deny reading it. > + > +Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC > + > +Similarly, updated pthread_getname_np to use O_CLOEXEC. > + > +Bug-Id: 34192[https://sourceware.org/bugzilla/show_bug.cgi?id=34192] > + > +Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in> > +Reviewed-by: Florian Weimer <fweimer@redhat.com> > +--- > + nptl/pthread_getname.c | 2 +- > + nptl/pthread_setname.c | 2 +- > + 2 files changed, 2 insertions(+), 2 deletions(-) > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=1cba6073e500c7bde9322a2f536fc0c308846c61] > + > +diff --git a/nptl/pthread_getname.c b/nptl/pthread_getname.c > +index da23a13ba5..5261993d1f 100644 > +--- a/nptl/pthread_getname.c > ++++ b/nptl/pthread_getname.c > +@@ -44,7 +44,7 @@ __pthread_getname_np (pthread_t th, char *buf, size_t len) > + char fname[sizeof (FMT) + 8]; > + sprintf (fname, FMT, (unsigned int) pd->tid); > + > +- int fd = __open64_nocancel (fname, O_RDONLY); > ++ int fd = __open64_nocancel (fname, O_RDONLY | O_CLOEXEC); > + if (fd == -1) > + return errno; > + > +diff --git a/nptl/pthread_setname.c b/nptl/pthread_setname.c > +index 62f4964fcc..f9a528c3d8 100644 > +--- a/nptl/pthread_setname.c > ++++ b/nptl/pthread_setname.c > +@@ -46,7 +46,7 @@ __pthread_setname_np (pthread_t th, const char *name) > + char fname[sizeof (FMT) + 8]; > + sprintf (fname, FMT, (unsigned int) pd->tid); > + > +- int fd = __open64_nocancel (fname, O_RDWR); > ++ int fd = __open64_nocancel (fname, O_WRONLY | O_CLOEXEC); > + if (fd == -1) > + return errno; > + > +-- > +2.43.7 > diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb > index 7958d64eed..4681ac427d 100644 > --- a/meta/recipes-core/glibc/glibc_2.39.bb > +++ b/meta/recipes-core/glibc/glibc_2.39.bb > @@ -55,6 +55,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ > file://0023-qemu-stale-process.patch \ > file://0001-stdlib-Add-single-threaded-fast-path-to-rand.patch \ > + file://0024-fix-fd-leaks.patch \ > " > S = "${WORKDIR}/git" > B = "${WORKDIR}/build-${TARGET_SYS}"
diff --git a/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch b/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch new file mode 100644 index 0000000000..633e52a8f9 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch @@ -0,0 +1,61 @@ +From 1cba6073e500c7bde9322a2f536fc0c308846c61 Mon Sep 17 00:00:00 2001 +From: Sana Kazi <Sana.Kazi@bmwtechworks.in> +Date: Mon, 15 Jun 2026 16:37:59 +0200 +Subject: [PATCH] nptl: open threads comm with O_WRONLY|O_CLOEXEC + +pthread_setname_np opens the thread's comm file using O_RDWR, but the +function only ever writes to it. This causes two distinct problems: + +1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec, + so it remains open across fork+exec. A child process that audits + its inherited file-descriptor set will encounter an unexpected /proc + fd it did not open and may treat this as a security violation and + abort. + +2. Unnecessary O_RDWR: requesting read+write access when only write + access is needed can cause open() to fail under security policies + that permit writing to /proc/<tid>/comm but deny reading it. + +Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC + +Similarly, updated pthread_getname_np to use O_CLOEXEC. + +Bug-Id: 34192[https://sourceware.org/bugzilla/show_bug.cgi?id=34192] + +Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in> +Reviewed-by: Florian Weimer <fweimer@redhat.com> +--- + nptl/pthread_getname.c | 2 +- + nptl/pthread_setname.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=1cba6073e500c7bde9322a2f536fc0c308846c61] + +diff --git a/nptl/pthread_getname.c b/nptl/pthread_getname.c +index da23a13ba5..5261993d1f 100644 +--- a/nptl/pthread_getname.c ++++ b/nptl/pthread_getname.c +@@ -44,7 +44,7 @@ __pthread_getname_np (pthread_t th, char *buf, size_t len) + char fname[sizeof (FMT) + 8]; + sprintf (fname, FMT, (unsigned int) pd->tid); + +- int fd = __open64_nocancel (fname, O_RDONLY); ++ int fd = __open64_nocancel (fname, O_RDONLY | O_CLOEXEC); + if (fd == -1) + return errno; + +diff --git a/nptl/pthread_setname.c b/nptl/pthread_setname.c +index 62f4964fcc..f9a528c3d8 100644 +--- a/nptl/pthread_setname.c ++++ b/nptl/pthread_setname.c +@@ -46,7 +46,7 @@ __pthread_setname_np (pthread_t th, const char *name) + char fname[sizeof (FMT) + 8]; + sprintf (fname, FMT, (unsigned int) pd->tid); + +- int fd = __open64_nocancel (fname, O_RDWR); ++ int fd = __open64_nocancel (fname, O_WRONLY | O_CLOEXEC); + if (fd == -1) + return errno; + +-- +2.43.7 diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb index 7958d64eed..4681ac427d 100644 --- a/meta/recipes-core/glibc/glibc_2.39.bb +++ b/meta/recipes-core/glibc/glibc_2.39.bb @@ -55,6 +55,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ file://0023-qemu-stale-process.patch \ file://0001-stdlib-Add-single-threaded-fast-path-to-rand.patch \ + file://0024-fix-fd-leaks.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}"