https://bugs.gentoo.org/797358 From 21cb1dad1243f4c0a427d893babab12e48b60f0e Mon Sep 17 00:00:00 2001 From: Masatake YAMATO Date: Sun, 20 Jun 2021 21:40:55 +0900 Subject: [PATCH] Adjust alignment of buffer passed to stat() Close #160. The original code passes char[] buffer to stat(). This can be cause a SIGBUS. #160 reported an actual crash on armv7a + glibc-2.33 platform. See also https://sourceware.org/bugzilla/show_bug.cgi?id=27993. The issue is reported by @10ne1. Signed-off-by: Masatake YAMATO [Adrian: Backported to 4.94] Signed-off-by: Adrian Ratiu --- a/misc.c +++ b/misc.c @@ -293,7 +293,15 @@ doinchild(fn, fp, rbuf, rbln) */ int r_al, r_rbln; - char r_arg[MAXPATHLEN+1], r_rbuf[MAXPATHLEN+1]; + char r_arg[MAXPATHLEN+1]; + union { + char r_rbuf[MAXPATHLEN+1]; + /* + * This field is only for adjusting the alignment of r_rbuf that + * can be used as an argument for stat(). + */ + struct stat _; + } r; int (*r_fn)(); /* * Close sufficient open file descriptors except Pipes[0] and @@ -358,16 +366,16 @@ doinchild(fn, fp, rbuf, rbln) || read(Pipes[0], r_arg, r_al) != r_al || read(Pipes[0], (char *)&r_rbln, sizeof(r_rbln)) != (int)sizeof(r_rbln) - || r_rbln < 1 || r_rbln > (int)sizeof(r_rbuf)) + || r_rbln < 1 || r_rbln > (int)sizeof(r.r_rbuf)) break; - zeromem (r_rbuf, r_rbln); - rv = r_fn(r_arg, r_rbuf, r_rbln); + zeromem (r.r_rbuf, r_rbln); + rv = r_fn(r_arg, r.r_rbuf, r_rbln); en = errno; if (write(Pipes[3], (char *)&rv, sizeof(rv)) != sizeof(rv) || write(Pipes[3], (char *)&en, sizeof(en)) != sizeof(en) - || write(Pipes[3], r_rbuf, r_rbln) != r_rbln) + || write(Pipes[3], r.r_rbuf, r_rbln) != r_rbln) break; } (void) _exit(0); -- 2.32.0