From: Rich Felker <dalias@libc.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: musl@lists.openwall.com
Subject: Re: arc4random/csprng
Date: Tue, 3 Jul 2018 11:17:56 -0400 [thread overview]
Message-ID: <20180703151756.GO1392@brightrain.aerifal.cx> (raw)
In-Reply-To: <5d28fcf7-b869-175d-c2b7-9c61ef1d40cd@redhat.com>
On Tue, Jul 03, 2018 at 05:08:21PM +0200, Florian Weimer wrote:
> On 07/03/2018 04:47 PM, Rich Felker wrote:
>
> >>The main lock (for non-current kernels) is needed for the fork
> >>detection counters. Fork detection is required for compatibility
> >>with applications which call clone/fork system calls directly, so
> >
> >How do you consider this supported usage at all? The tid in the TCB
> >will be invalid after such a call, and other things may be broken too.
>
> Right, robust mutexes are quite broken by this.
Not just robust. Due to tid reuse, if a single-threaded parent
bypasses libc to fork, then exits, the tid that was copied into the
child's TCB could get reused for a new thread in the child, thereby
allowing two threads to lock the same recursive mutex at the same
time. Lots of other versions of this are possible too whenever
TCB->tid has a value that's not reserved against reuse.
> But it's still quite common to do things with direct system calls,
> particularly for setting up containers.
>
> I have not yet found a case which I couldn't solve with plain fork
> (with handlers) and unshare, but that's not what everyone does
> unfortunately.
I agree you might need direct use of clone sometime for
namespace/container stuff, but I don't think there's any way it can be
made safe without careful consideration of what you do after the
operation before a subsequent execve or _exit. I don't think it makes
sense to design big machinery to support doing something that has
deeper reasons it can't work, but this is probably partly a difference
in philosophy between glibc and musl (see also: dlclose, lazy dtls,
lazy tlsdesc, ...).
Rich
next prev parent reply other threads:[~2018-07-03 15:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-02 20:39 arc4random/csprng Rich Felker
2018-07-03 13:36 ` arc4random/csprng Florian Weimer
2018-07-03 14:47 ` arc4random/csprng Rich Felker
2018-07-03 15:08 ` arc4random/csprng Florian Weimer
2018-07-03 15:17 ` Rich Felker [this message]
2018-07-04 11:36 ` arc4random/csprng Florian Weimer
2018-07-04 15:13 ` arc4random/csprng Rich Felker
2018-07-03 14:18 ` arc4random/csprng Luca Barbato
2018-07-03 14:49 ` arc4random/csprng Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180703151756.GO1392@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=fweimer@redhat.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).