From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.2 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 29BC21F4B4 for ; Thu, 1 Oct 2020 15:12:08 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id EABC6398B803; Thu, 1 Oct 2020 15:12:06 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EABC6398B803 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1601565127; bh=O3hu4EeiJtF80CpB2h3q6y8oJ6xCjQuO3Kbq9xdGM7g=; h=To:Subject:References:Date:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=wyZg72YMXmpqmzQGNV3MohTibNvvUQJAPvOnpi2YLwD5Am8RhvMZGqcr0QpUfADJ8 2GwFKjZT0cyILGnUSN7w1psfOYJ+3nSe9eG2+Mv9/qaHW8+HbLiqrrIZ+HvyTw/dyo dfmFrGXP8BvKAG2AZOnkOvBKTuX2wtSg1QyFZ0f0= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by sourceware.org (Postfix) with ESMTP id B1DF1398542E for ; Thu, 1 Oct 2020 15:12:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org B1DF1398542E Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-446-5OdJsr9nPxSUslvaz0hA3A-1; Thu, 01 Oct 2020 11:11:23 -0400 X-MC-Unique: 5OdJsr9nPxSUslvaz0hA3A-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B33511868429; Thu, 1 Oct 2020 15:11:22 +0000 (UTC) Received: from oldenburg2.str.redhat.com (ovpn-114-84.ams2.redhat.com [10.36.114.84]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9018819C59; Thu, 1 Oct 2020 15:11:21 +0000 (UTC) To: Rich Felker Subject: Re: [musl] Re: [PATCH] Make abort() AS-safe (Bug 26275). References: <20200927141952.121047-1-carlos@redhat.com> <871rinm1fx.fsf@mid.deneb.enyo.de> <20200928234833.GC17637@brightrain.aerifal.cx> <87d025jcn0.fsf@mid.deneb.enyo.de> <20200929144207.GD17637@brightrain.aerifal.cx> <20201001023018.GL17637@brightrain.aerifal.cx> <87o8lmeaw7.fsf@mid.deneb.enyo.de> <20201001143918.GN17637@brightrain.aerifal.cx> Date: Thu, 01 Oct 2020 17:11:19 +0200 In-Reply-To: <20201001143918.GN17637@brightrain.aerifal.cx> (Rich Felker's message of "Thu, 1 Oct 2020 10:39:19 -0400") Message-ID: <87o8lmhtgo.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Florian Weimer via Libc-alpha Reply-To: Florian Weimer Cc: Carlos O'Donell via Libc-alpha , musl@lists.openwall.com Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" * Rich Felker: > On Thu, Oct 01, 2020 at 08:08:24AM +0200, Florian Weimer wrote: >> * Rich Felker: >> >> > Even without fork, execve and posix_spawn can also see the SIGABRT >> > disposition change made by abort(), passing it on to a process that >> > should have started with a disposition of SIG_IGN if you hit exactly >> > the wrong spot in the race. >> >> My feeling is that it's not worth bothering with this kind of leakage. >> We've had this bug forever in glibc, and no one has complained about >> it. >> >> Carlos is investigating removal of the abort lock from glibc, I think. > > I don't think that's a good solution. The lock is really important in > that it protects against serious wrong behavior *within the process* > like an application-installed signal handler for SIGABRT getting > called more than once. I think glibc currently has this bug. We only avoid it for abort, but I'm not sure if it's a bug to handle the handler multiple times if abort is called more than once. But even for the more general case (threads call sigaction to install a SIGABRT handler): Do we actually need a lock there? We reach this state only after raise (SIGABRT) has returned. At this point, we can set a flag (not a lock), and every other thread that calls signal or sigaction would instead perform the late-stage SIG_DFL-for-SIGABRT part of abort? It probably still needs some fiddling with sigprocmask. Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill