From: Lorenzo Stoakes <ljs@kernel.org>
To: Chris Gellermann <christian.gellermann@codasip.com>
Cc: akpm@linux-foundation.org, brauner@kernel.org, david@kernel.org,
liam@infradead.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
mhocko@suse.com, rppt@kernel.org, shuah@kernel.org,
surenb@google.com, vbabka@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2 1/2] selftests/clone3: Fix wild pointer access of getline due to missing init
Date: Wed, 3 Jun 2026 13:05:39 +0100 [thread overview]
Message-ID: <aiAYQVaVGRLfmpAK@lucifer> (raw)
In-Reply-To: <20260603104310.936706-1-christian.gellermann@codasip.com>
Hm you're combining 2 of my least favourite things in one :)
- Doing a >1 patch series with patch N+1 in-reply-to patch N
- Doing a vN+1 in reply to a vN series.
Just for future, please send series independent of each other not in reply to
other series, and if there's more than 1 patch, send a cover letter and have all
the patches reply to that!
Thanks, Lorenzo
On Wed, Jun 03, 2026 at 12:43:09PM +0200, Chris Gellermann wrote:
> Clone3_set_tid uses getline(&line, ...) in a loop to read the child's
> process status. The code expects that getline allocates the buffer for
> the line on the first loop iteration. According to the Open Group
> Spec[1], char *line has to be null pointer for this:
>
> > ssize_t getline(char **restrict lineptr, ...);
> > If *lineptr is a null pointer or if the object pointed to by *lineptr
> > is of insufficient size, an object shall be allocated as if by
> malloc()
> > or the object shall be reallocated as if by realloc()[...].
>
> However, char *line is only declared, leading to an undefined value
> that is potentially non-null. In an example run with Musl v1.2.6, the
> realloc call[2] of getdelim, which implements getline, triggers a
> segfault:
>
> ./run_kselftest.sh --test clone3:clone3_set_tid
> [ 1366.165898] kselftest: Running tests in clone3
> ...
> [ 1367.799244] clone3_set_tid[811]: unhandled signal 11 code 0x1 at
> 0x0000000000000000 in libc.so[68184,3fbf69f000+4c000]
> [ 1367.802808] CPU: 0 UID: 0 PID: 811 Comm: clone3_set_tid Not tainted
> ..
> [ 1367.804188] epc: 0x0000003fbf6b0184
> [ 1367.804188] ra : 0x0000003fbf6d4664
> [ 1367.804188] sp : 0x0000003fce5f2e40
> [ 1367.805314] gp : 0x0000002aaab0dfb8
> [ 1367.805314] tp : 0x0000003fbf6f14a8
> [ 1367.805314] t0 : 0x0000003fbf63d000
> ...
>
> Looking at the realloc implementation, Musl mallocs for a null pointer
> memory. But for a non-null pointer, it assumes it's passed a valid
> pointer to the heap and tries to access its meta-data. This leads to the
> segfault we see:
>
> void *realloc(void *p, size_t n)
> {
> if (!p) return malloc(n);
> if (size_overflows(n)) return 0;
>
> struct meta *g = get_meta(p);
> ...
> }
>
> Fix this by properly initializing the line pointer to NULL.
>
> [1] https://pubs.opengroup.org/onlinepubs/9799919799/functions/getline.html
> [2] https://git.musl-libc.org/cgit/musl/tree/src/stdio/getdelim.c#n38
>
> Fixes: 41585bbeeef9 ("selftests: add tests for clone3() with *set_tid")
> Cc: stable@vger.kernel.org
> Acked-by: David Hildenbrand (arm) <david@kernel.org>
> Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
> Signed-off-by: Chris Gellermann <christian.gellermann@codasip.com>
> ---
> tools/testing/selftests/clone3/clone3_set_tid.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/clone3/clone3_set_tid.c b/tools/testing/selftests/clone3/clone3_set_tid.c
> index 5c944aee6b41..485efa7c9eed 100644
> --- a/tools/testing/selftests/clone3/clone3_set_tid.c
> +++ b/tools/testing/selftests/clone3/clone3_set_tid.c
> @@ -141,7 +141,7 @@ int main(int argc, char *argv[])
> {
> FILE *f;
> char buf;
> - char *line;
> + char *line = NULL;
> int status;
> int ret = -1;
> size_t len = 0;
> --
> 2.47.3
>
next prev parent reply other threads:[~2026-06-03 12:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 11:38 [PATCH] selftest: Fix UB of getline due to missing var init Chris Gellermann
2026-05-26 12:19 ` David Hildenbrand (Arm)
2026-05-26 13:33 ` Lorenzo Stoakes
2026-05-26 18:34 ` Andrew Morton
2026-05-27 16:23 ` Lorenzo Stoakes
2026-06-03 10:43 ` [PATCH v2 1/2] selftests/clone3: Fix wild pointer access of getline due to missing init Chris Gellermann
2026-06-03 10:43 ` [PATCH v2 2/2] selftests/mm: Fix potential " Chris Gellermann
2026-06-03 12:05 ` Lorenzo Stoakes [this message]
2026-06-03 14:57 ` Re: [PATCH v2 1/2] selftests/clone3: Fix " Chris Gellermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiAYQVaVGRLfmpAK@lucifer \
--to=ljs@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=christian.gellermann@codasip.com \
--cc=david@kernel.org \
--cc=liam@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=rppt@kernel.org \
--cc=shuah@kernel.org \
--cc=stable@vger.kernel.org \
--cc=surenb@google.com \
--cc=vbabka@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.