From: Florian Weimer via Libc-alpha <libc-alpha@sourceware.org>
To: John Mellor-Crummey <johnmc@rice.edu>
Cc: libc-alpha@sourceware.org
Subject: Re: A collection of LD_AUDIT bugs that are important for tools (with better formatting for this list)
Date: Tue, 22 Jun 2021 10:15:55 +0200 [thread overview]
Message-ID: <87tulqe2mc.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <5F849F6D-0BB7-4D6F-9FC8-9F73A4E012F3@rice.edu> (John Mellor-Crummey's message of "Mon, 21 Jun 2021 14:42:17 -0500")
* John Mellor-Crummey:
> On Jun 17, 2021, at 3:09 PM, Florian Weimer <fweimer@redhat.com> wrote:
>
>> The issue is that the la_symbind interface is not very good at
>> communicating that PLT enter/exit hooks aren't available under these
>> circumstances.
>
> This is a separate issue from the one we reported. The issue we reported
> was that la_symbind wasn’t called and LD_BIND_NOW was not used.
It's kind of related. Our own example implementation looks like this:
uintptr_t
la_symbind (Elf_Sym *sym, unsigned int ndx, uintptr_t *refcook,
uintptr_t *defcook, unsigned int *flags, const char *symname)
{
if (!do_exit)
*flags = LA_SYMB_NOPLTEXIT;
return sym->st_value;
}
Let's assume that we start calling la_symbind in places where there is
no support for enter/exit hooks. We could initialize *flags with
LA_SYMB_NOPLTENTER | LA_SYMB_NOPLTEXIT, but the code above would clear
the LA_SYMB_NOPLTENTER flag in !do_exit mode.
I want to increase LAV_CURRENT to 2 and call la_symbind in the BIND_NOW
cases only if la_version returned a value greater than 1. This way, old
audit modules (which are supposed to return LAV_CURRENT from <link.h> in
la_version) will continue to work because they do not see any unexpected
la_symbind calls.
Once we call la_symbind in contexts where no enter/exit hooks are
available, we should initialize the flags to LA_SYMB_NOPLTENTER |
LA_SYMB_NOPLTEXIT (so that la_symbind can detect the situation), and
report a dlopen/loader error if those flags are cleared by la_symbind.
(With our example code, this would call pretty much all binding to fail,
which is why I think we need the LAV_CURRENT change.)
>> pthread_create interception becomes more difficult in glibc 2.34 because
>> the pthread_create symbol is no longer interposable.
>
> I don’t understand why pthread_create will no longer be interposable in 2.34.
> We have a set of other functions that we also need to intercept, shown below:
>
> _Exit
> _exit
> execl
> execle
> execlp
> execv
> execve
> execvp
> exit
> fork
> pthread_create
> pthread_exit
> pthread_sigmask
> sigaction
> signal
> sigprocmask
> sigtimedwait
> sigwait
> sigwaitinfo
> system
> vfork
>
> If by "pthread_create symbol is no longer interposable", that means we
> can’t insert a wrapper, then that is very bad for performance tools.
Once we merge librt and libanl into libc (patches for that have been
posted), mq_notify, the timer functions, and getaddrinfo_a will call
pthread_create using a direct call that cannot be intercepted in this
way. There is precedent for making things interposable/interceptable
in the form of malloc
<https://www.gnu.org/software/libc/manual/html_node/Replacing-malloc.html>
but we are currently do not plan to do this for pthread_create. It
would not be an ABI change as such, so we could introduce the indirect
call as a later change based on user feedback.
You can already see this non-interceptable thread creation behavior
today (in glibc 2.33 and earlier) with thrd_create, which does not
result in a pthread_create call, either, despite creating a new thread
as if by pthread_create.
It's also the reason why your list contains the exec* functions and
system in addition to fork, vfork, and execve, even though system is
implemented on top of those functions: the internal direct calls are
invisible to auditors. But posix_spawn, posix_spawnp, popen are
missing, too, so you will not trace all created processes.
Starting with glibc 2.32, thread signal masks can also be manipulated
using pthread_attr_setsigmask_np, and that might go unnoticed with your
present sets of intercepts (although the mask change would be visible
from a thread start routine wrapper injected via pthread_create).
Going back to trheading, I find it a bit curious that you intercept
pthread_create, but not pthread_join. How do you detect thread exit? I
assume you are interested in that event, too. Merely wrapping the
thread start routine is insufficient because there are other ways for a
thread to exit besides returning from the start routine and calling
pthread_exit (e.g., thread cancellation and unwinding).
> Should we expect any problems for the other functions listed above in
> addition to pthread_create?
I don't think glibc 2.34 will bring any new problems in this area, but
there are some pre-existing issues around posix_spawn, popen,
pthread_attr_setsigmask_np.
Thanks,
Florian
next prev parent reply other threads:[~2021-06-22 8:16 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-16 17:55 A collection of LD_AUDIT bugs that are important for tools (with better formatting for this list) John Mellor-Crummey via Libc-alpha
2021-06-17 19:42 ` Adhemerval Zanella via Libc-alpha
2021-06-17 20:09 ` Florian Weimer via Libc-alpha
2021-06-17 23:06 ` Adhemerval Zanella via Libc-alpha
2021-06-23 17:42 ` Ben Woodard via Libc-alpha
2021-07-30 14:58 ` Adhemerval Zanella via Libc-alpha
2021-07-30 18:59 ` Ben Woodard via Libc-alpha
2021-07-30 21:09 ` Adhemerval Zanella via Libc-alpha
2021-07-31 0:59 ` Ben Woodard via Libc-alpha
2021-08-04 18:11 ` Adhemerval Zanella via Libc-alpha
2021-08-05 10:32 ` Szabolcs Nagy via Libc-alpha
2021-08-05 19:36 ` Ben Woodard via Libc-alpha
2021-08-06 9:04 ` Szabolcs Nagy via Libc-alpha
2021-06-21 19:42 ` John Mellor-Crummey via Libc-alpha
2021-06-22 8:15 ` Florian Weimer via Libc-alpha [this message]
2021-06-22 15:04 ` John Mellor-Crummey via Libc-alpha
2021-06-22 15:36 ` Florian Weimer via Libc-alpha
2021-06-22 16:17 ` John Mellor-Crummey via Libc-alpha
2021-06-22 16:33 ` Adhemerval Zanella via Libc-alpha
2021-06-23 6:32 ` Florian Weimer via Libc-alpha
2021-06-23 20:06 ` Mark Krentel via Libc-alpha
2021-06-18 17:48 ` John Mellor-Crummey via Libc-alpha
2021-06-18 18:27 ` Adhemerval Zanella via Libc-alpha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tulqe2mc.fsf@oldenburg.str.redhat.com \
--to=libc-alpha@sourceware.org \
--cc=fweimer@redhat.com \
--cc=johnmc@rice.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).