From: Zbigniew Jędrzejewski-Szmek Date: Fri, 6 Dec 2019 14:04:51 +0000 (+0100) Subject: shared/seccomp: avoid possibly writing bogus errno code in debug log X-Git-Tag: v245-rc1~299^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F14265%2Fhead;p=thirdparty%2Fsystemd.git shared/seccomp: avoid possibly writing bogus errno code in debug log CID 1409488. This code was added in 903659e7b242c3cc897e32835f1918d380b24e5f. The change that is done here is a simple fix to avoid use of a unitialized/wrongly-initialized variable, but the bigger issue is that nothing looks at the returned result to distinguish between 0 and a positive return value. --- diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 6d42b2d5734..eeca17f3412 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1583,12 +1583,11 @@ assert_cc(SCMP_SYS(shmdt) > 0); int seccomp_memory_deny_write_execute(void) { uint32_t arch; - int r; - int loaded = 0; + unsigned loaded = 0; SECCOMP_FOREACH_LOCAL_ARCH(arch) { _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; - int filter_syscall = 0, block_syscall = 0, shmat_syscall = 0; + int filter_syscall = 0, block_syscall = 0, shmat_syscall = 0, r; log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); @@ -1678,12 +1677,13 @@ int seccomp_memory_deny_write_execute(void) { if (ERRNO_IS_SECCOMP_FATAL(r)) return r; if (r < 0) - log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + log_debug_errno(r, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", + seccomp_arch_to_string(arch)); loaded++; } if (loaded == 0) - log_debug_errno(r, "Failed to install any seccomp rules for MemoryDenyWriteExecute="); + log_debug("Failed to install any seccomp rules for MemoryDenyWriteExecute=."); return loaded; }