Re: setrlimit hangs the process

[Rich Felker <dalias@libc.org>]

On Tue, Sep 25, 2018 at 05:36:05PM +0200, Szabolcs Nagy wrote:
> * Rabbitstack <rabbitstack7@gmail.com> [2018-09-25 16:54:37 +0200]:
> > Sorry. Let me describe the problem in more detail.
> > 
> > The process only hangs when launched without root privileges on the host
> > (Arch Linux x64 with kernel 4.17.5-1) where Alpine docker container is
> > running. Once with root privileges, it starts up correctly (but this is
> > obvious since it doesn't hit setrlimit call). The odd side is that on other
> > hosts it hangs even when started with root. No error messages so far.
> > Strace output:
> > 
> > $ sudo strace -p 9285
> > 
> > futex(0x2cddfc0, FUTEX_WAIT_PRIVATE, 0, NULL
> > 
> > $ sudo strace -f -p 9285
> > 
> > .....
> > [pid  9287] getdents64(10, /* 14 entries */, 2048) = 336
> > [pid  9287] tgkill(9285, 9285, SIGRT_2) = 0
> > [pid  9287] futex(0x7efbff70008c, FUTEX_LOCK_PI_PRIVATE,
> > {tv_sec=1537887068, tv_nsec=51442144}) = -1 ETIMEDOUT (Connection timed out)
> 
> it looks like musl tries to sync a setuid call across
> all threads (which is necessary since the linux syscall
> only changes the uid for the current thread instead of
> all threads so you can end up with different privileges
> in the same address space which is dangerous as well as
> non-posix conform setuid behaviour)
> 
> it's possible that the setuid syncing is somehow wrong
> in musl, but it's more likely that there are threads
> that are not created by the c runtime (but from go) and
> thus the sync cannot possibly work.

It actually can kinda work with such threads. musl's stop-the-world
__synccall pokes all kernel-level threads in the same process (thread
group) as the caller using signals and /proc/self/task to ensure it
didn't miss any, so it will work as long as they haven't blocked
libc-internal signals. There may be problems with the thread pointer
being invalid, though. The __synccall framework itself does not use
the TCB, but other stuff in the callback might. This should probably
be fixed.

> so try to look for where set*id is called and ensure it
> is not called or called before any threads are created
> (or at least before any go threads are created)
> 
> note that syscall.Set*id from go does not work either,
> it does not sync the threads (which is dangerously
> broken for a runtime that's always multi-threaded).

Yep, that's unsafe to use. Any use is likely exploitable.

Rich