diff mbox series

[master] nptl: open threads comm with O_WRONLY|O_CLOEXEC

Message ID 20260622050921.985873-1-git-patches@bmwtechworks.in
State Under Review
Headers show
Series [master] nptl: open threads comm with O_WRONLY|O_CLOEXEC | expand

Commit Message

Sana Kazi June 22, 2026, 5:09 a.m. UTC 
From: Sana Kazi <sana.kazi@bmwtechworks.in>

pthread_setname_np opens the thread's comm file using O_RDWR, but the
function only ever writes to it.  This causes two distinct problems:

1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec,
so it remains open across fork+exec.  A child process that audits
its inherited file-descriptor set will encounter an unexpected /proc
fd it did not open and may treat this as a security violation and
abort.
2. Unnecessary O_RDWR: requesting read+write access when only write
access is needed can cause open() to fail under security policies
that permit writing to /proc/<tid>/comm but deny reading it.

Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC
Similarly, updated pthread_getname_np to use O_CLOEXEC.

Signed-off-by: Sana Kazi <sana.kazi@bmwtechworks.in>
---
 .../glibc/glibc/0024-fix-fd-leaks.patch       | 61 +++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.43.bb         |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch
diff mbox series

Patch

diff --git a/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch b/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch
new file mode 100644
index 0000000000..d2f8231c02
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0024-fix-fd-leaks.patch
@@ -0,0 +1,61 @@ 
+From 1cba6073e500c7bde9322a2f536fc0c308846c61 Mon Sep 17 00:00:00 2001
+From: Sana Kazi <Sana.Kazi@bmwtechworks.in>
+Date: Mon, 15 Jun 2026 16:37:59 +0200
+Subject: [PATCH] nptl: open threads comm with O_WRONLY|O_CLOEXEC
+
+pthread_setname_np opens the thread's comm file using O_RDWR, but the
+function only ever writes to it.  This causes two distinct problems:
+
+1. Missing O_CLOEXEC: the file descriptor is not marked close-on-exec,
+   so it remains open across fork+exec.  A child process that audits
+   its inherited file-descriptor set will encounter an unexpected /proc
+   fd it did not open and may treat this as a security violation and
+   abort.
+
+2. Unnecessary O_RDWR: requesting read+write access when only write
+   access is needed can cause open() to fail under security policies
+   that permit writing to /proc/<tid>/comm but deny reading it.
+
+Fix both issues by replacing O_RDWR with O_WRONLY|O_CLOEXEC
+
+Similarly, updated pthread_getname_np to use O_CLOEXEC.
+
+Bug-Id: 34192[https://sourceware.org/bugzilla/show_bug.cgi?id=34192]
+
+Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in>
+Reviewed-by: Florian Weimer <fweimer@redhat.com>
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=1cba6073e500c7bde9322a2f536fc0c308846c61]
+---
+ nptl/pthread_getname.c | 2 +-
+ nptl/pthread_setname.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nptl/pthread_getname.c b/nptl/pthread_getname.c
+index da23a13ba5..5261993d1f 100644
+--- a/nptl/pthread_getname.c
++++ b/nptl/pthread_getname.c
+@@ -44,7 +44,7 @@ __pthread_getname_np (pthread_t th, char *buf, size_t len)
+   char fname[sizeof (FMT) + 8];
+   sprintf (fname, FMT, (unsigned int) pd->tid);
+ 
+-  int fd = __open64_nocancel (fname, O_RDONLY);
++  int fd = __open64_nocancel (fname, O_RDONLY | O_CLOEXEC);
+   if (fd == -1)
+     return errno;
+ 
+diff --git a/nptl/pthread_setname.c b/nptl/pthread_setname.c
+index 62f4964fcc..f9a528c3d8 100644
+--- a/nptl/pthread_setname.c
++++ b/nptl/pthread_setname.c
+@@ -46,7 +46,7 @@ __pthread_setname_np (pthread_t th, const char *name)
+   char fname[sizeof (FMT) + 8];
+   sprintf (fname, FMT, (unsigned int) pd->tid);
+ 
+-  int fd = __open64_nocancel (fname, O_RDWR);
++  int fd = __open64_nocancel (fname, O_WRONLY | O_CLOEXEC);
+   if (fd == -1)
+     return errno;
+ 
+-- 
+2.43.7
diff --git a/meta/recipes-core/glibc/glibc_2.43.bb b/meta/recipes-core/glibc/glibc_2.43.bb
index a52dcfd364..8cfce51ec5 100644
--- a/meta/recipes-core/glibc/glibc_2.43.bb
+++ b/meta/recipes-core/glibc/glibc_2.43.bb
@@ -55,6 +55,7 @@  SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0021-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch \
            file://0022-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch \
            file://0023-CVE-2026-5450.patch \
+           file://0024-fix-fd-leaks.patch \
 "
 B = "${WORKDIR}/build-${TARGET_SYS}"