From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_PASS, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 4D1F11F4B4 for ; Thu, 1 Oct 2020 15:28:52 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 862C4398B80B; Thu, 1 Oct 2020 15:28:51 +0000 (GMT) Received: from brightrain.aerifal.cx (brightrain.aerifal.cx [216.12.86.13]) by sourceware.org (Postfix) with ESMTPS id 3A6A33951C67 for ; Thu, 1 Oct 2020 15:28:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 3A6A33951C67 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=libc.org Authentication-Results: sourceware.org; spf=none smtp.mailfrom=dalias@libc.org Date: Thu, 1 Oct 2020 11:28:48 -0400 From: Rich Felker To: Florian Weimer Subject: Re: [musl] Re: [PATCH] Make abort() AS-safe (Bug 26275). Message-ID: <20201001152847.GP17637@brightrain.aerifal.cx> References: <20200927141952.121047-1-carlos@redhat.com> <871rinm1fx.fsf@mid.deneb.enyo.de> <20200928234833.GC17637@brightrain.aerifal.cx> <87d025jcn0.fsf@mid.deneb.enyo.de> <20200929144207.GD17637@brightrain.aerifal.cx> <20201001023018.GL17637@brightrain.aerifal.cx> <87o8lmeaw7.fsf@mid.deneb.enyo.de> <20201001143918.GN17637@brightrain.aerifal.cx> <87o8lmhtgo.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87o8lmhtgo.fsf@oldenburg2.str.redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Carlos O'Donell via Libc-alpha , musl@lists.openwall.com Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" On Thu, Oct 01, 2020 at 05:11:19PM +0200, Florian Weimer wrote: > * Rich Felker: > > > On Thu, Oct 01, 2020 at 08:08:24AM +0200, Florian Weimer wrote: > >> * Rich Felker: > >> > >> > Even without fork, execve and posix_spawn can also see the SIGABRT > >> > disposition change made by abort(), passing it on to a process that > >> > should have started with a disposition of SIG_IGN if you hit exactly > >> > the wrong spot in the race. > >> > >> My feeling is that it's not worth bothering with this kind of leakage. > >> We've had this bug forever in glibc, and no one has complained about > >> it. > >> > >> Carlos is investigating removal of the abort lock from glibc, I think. > > > > I don't think that's a good solution. The lock is really important in > > that it protects against serious wrong behavior *within the process* > > like an application-installed signal handler for SIGABRT getting > > called more than once. > > I think glibc currently has this bug. We only avoid it for abort, but > I'm not sure if it's a bug to handle the handler multiple times if abort > is called more than once. I don't see anything in the spec that allows for the signal handler to be called multiple times. The signal is raised (thereby following normal semantics for if/how signal handler runs), and if a handler runs and returns, the process is then required to terminate abnormally as if by SIGABRT. This isn't a license to execute the signal handler again or do other random observable things. > But even for the more general case (threads call sigaction to install a > SIGABRT handler): Do we actually need a lock there? We reach this state > only after raise (SIGABRT) has returned. At this point, we can set a > flag (not a lock), and every other thread that calls signal or sigaction > would instead perform the late-stage SIG_DFL-for-SIGABRT part of abort? > It probably still needs some fiddling with sigprocmask. There's a race between checking the flag and acting on it. If thread A has already called signal(SIGABRT,foo) and gotten past the "are we aborting?" check, then thread B calls abort(), thread A can reset the disposition of SIGABRT to foo after thread B sets it to SIG_DFL, but before thread B re-raises, unblocks, and acts on the signal. Rich