diff options
author | Tom Hromatka <tom.hromatka@oracle.com> | 2018-05-15 07:56:56 -0600 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2018-09-19 16:29:13 -0400 |
commit | 6646e21ed2734dca355c5b550cb45f0379330e02 (patch) | |
tree | 5b2a613f01a53c67485b6e967e91835dbc853216 | |
parent | 0f589d156617af715850537e5413ea516ec3e534 (diff) | |
download | libseccomp-6646e21ed2734dca355c5b550cb45f0379330e02.tar.gz |
pfc: fix PFC export hang on prioritized syscall with no rules (GH issue #117)
github user @varqox reported that generating PFC will hang if the
libseccomp filter contains a syscalle with a priority but no rule
set. The root cause is the while() loop in gen_pfc.c that walks
through the filter's syscalls. It wasn't properly advancing
through the list when p_iter was invalid.
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: fix a comment in the test]
Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r-- | src/gen_pfc.c | 4 | ||||
-rw-r--r-- | tests/38-basic-pfc_coverage.c | 5 |
2 files changed, 8 insertions, 1 deletions
diff --git a/src/gen_pfc.c b/src/gen_pfc.c index 196635f..ebde3bf 100644 --- a/src/gen_pfc.c +++ b/src/gen_pfc.c @@ -304,8 +304,10 @@ static int _gen_pfc_arch(const struct db_filter_col *col, fprintf(fds, "if ($arch == %u)\n", db->arch->token_bpf); p_iter = p_head; while (p_iter != NULL) { - if (!p_iter->sys->valid) + if (!p_iter->sys->valid) { + p_iter = p_iter->next; continue; + } _gen_pfc_syscall(db->arch, p_iter->sys, fds); p_iter = p_iter->next; } diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c index a12d06c..c17e2ff 100644 --- a/tests/38-basic-pfc_coverage.c +++ b/tests/38-basic-pfc_coverage.c @@ -81,6 +81,11 @@ int main(int argc, char *argv[]) if (rc < 0) goto out; + /* verify the prioritized, but no-rule, syscall */ + rc = seccomp_syscall_priority(ctx, SCMP_SYS(poll), 255); + if (rc < 0) + goto out; + rc = seccomp_export_pfc(ctx, fd); if (rc < 0) goto out; |