Add a sandbox workaround for Glibc 2.33 (!378) · Merge requests · The Tor Project / Core / Tor

Nick Mathewson requested to merge nickm/tor:ticket40382_045 into maint-0.4.5 May 07, 2021

This change permits the newfstatat() system call, and fixes issues 40382 (and 40381).

This isn't a free change. From the commit:

// Libc 2.33 uses this syscall to implement both fstat() and stat().
//
// The trouble is that to implement fstat(fd, &st), it calls:
//     newfstatat(fs, "", &st, AT_EMPTY_PATH)
// We can't detect this usage in particular, because "" is a pointer
// we don't control.  And we can't just look for AT_EMPTY_PATH, since
// AT_EMPTY_PATH only has effect when the path string is empty.
//
// So our only solution seems to be allowing all fstatat calls, which
// means that an attacker can stat() anything on the filesystem. That's
// not a great solution, but I can't find a better one.

Add a sandbox workaround for Glibc 2.33

Merge request reports