From c44757975ecf76067234fde2f888b2467a67ca15 Mon Sep 17 00:00:00 2001 From: Ryan Houdek Date: Wed, 12 Feb 2025 23:45:06 -0800 Subject: [PATCH] Seccomp: Fix a couple minor things. If fcntl fails then report a log message, and fix a potential overflow before widen bug. --- .../LinuxSyscalls/Seccomp/SeccompEmulator.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Source/Tools/LinuxEmulation/LinuxSyscalls/Seccomp/SeccompEmulator.cpp b/Source/Tools/LinuxEmulation/LinuxSyscalls/Seccomp/SeccompEmulator.cpp index f627fe29fb..9cabc786d3 100644 --- a/Source/Tools/LinuxEmulation/LinuxSyscalls/Seccomp/SeccompEmulator.cpp +++ b/Source/Tools/LinuxEmulation/LinuxSyscalls/Seccomp/SeccompEmulator.cpp @@ -257,7 +257,9 @@ std::optional SeccompEmulator::SerializeFilters(FEXCore::Core::CpuStateFram lseek(FD, 0, SEEK_SET); // Seal everything about this FD. - fcntl(FD, F_ADD_SEALS, F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); + if (fcntl(FD, F_ADD_SEALS, F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE | F_SEAL_FUTURE_WRITE) == -1) { + LogMan::Msg::IFmt("Couldn't seal seccomp serialize FD. Nefarious code could modify"); + } return FD; } @@ -410,7 +412,7 @@ SeccompEmulator::ExecuteFilter(FEXCore::Core::CpuStateFrame* Frame, uint64_t JIT case SECCOMP_RET_KILL_PROCESS: { const int KillSignal = GetKillSignal(); // Ignores signal handler and sigmask - uint64_t Mask = 1 << (KillSignal - 1); + uint64_t Mask = 1ULL << (KillSignal - 1); SignalDelegation->GuestSigProcMask(Thread, SIG_UNBLOCK, &Mask, nullptr); SignalDelegation->UninstallHostHandler(KillSignal); kill(0, KillSignal);