libseccomp-golang
libseccomp-golang copied to clipboard
seccomp
Check negative value in GetSyscallFromName
GetSyscallFromName in seccomp.go may returns negative syscall nr without error. It is not reasonable since syscall can not be negative.
Test case:
[[Code]]
callNum, err := libseccomp.GetSyscallFromName(call.Name)
if err != nil {
logrus.Debugf("unknown seccomp syscall %q ignored", call.Name)
return nil
}
if callNum < 0 {
fmt.Println("In Seccomp, invalid call", call, callNum, uint32(callNum))
}
[[Output]]
In Seccomp, invalid call &{timer_settime64 4 <nil> []} -10237 4294957059
Fix:
From ca9418a3e0b73a4f317225ad90c47f095ad6feb6 Mon Sep 17 00:00:00 2001
From: Joy Allen <[email protected]>
Date: Tue, 5 Dec 2023 15:57:01 +0800
Subject: [PATCH] Consider negative syscall nr as NotExist error
C libseccomp may return negative pseudo syscall nr. In this case,
the syscall does not exist.
Signed-off-by: Joy Allen <[email protected]>
---
seccomp.go | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/seccomp.go b/seccomp.go
index b707c43..54b6aac 100644
--- a/seccomp.go
+++ b/seccomp.go
@@ -495,7 +495,9 @@ func GetSyscallFromName(name string) (ScmpSyscall, error) {
defer C.free(unsafe.Pointer(cString))
result := C.seccomp_syscall_resolve_name(cString)
- if result == scmpError {
+ // C libseccomp may return negative pseudo syscall nr on NotExist.
+ // Just checking scmpError is not sufficient here
+ if result < 0 {
return 0, ErrSyscallDoesNotExist
}
--
2.25.1
