From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: Conditional signal safety?
Date: Sat, 29 Jun 2019 12:49:45 -0400 [thread overview]
Message-ID: <20190629164945.GL1506@brightrain.aerifal.cx> (raw)
In-Reply-To: <20190629055405.GA22788@voyager>
On Sat, Jun 29, 2019 at 07:54:05AM +0200, Markus Wichmann wrote:
> Hi all,
>
> at work yesterday I had to build an exception handler (a signal handler
> for SIGSEGV, SIGBUS, SIGILL, and SIGFPE). For my purposes, it was really
> convenient to just use dladdr() to find out at least what module and
> function PC and LR were pointing to when the exception happened, so I
> used that function.
This is convenient for debugging, but I would strongly discourage its
use in deployment. Attempts to intercept and introspectively report
(or even worse, patch up and continue after) memory-safety UB almost
always provide tools for an attacker to turn an unexploitable or
difficult-to-exploit error into one they can exploit. This is inherent
in continuing to run and make calls that might make use of compromised
pointers.
> Now, dladdr() is not on the list of signal safe functions, but then,
> dladdr() is a GNU extension. I wondered if it is signal safe and noticed
> that at least musl's implementation is, provided that dlopen() was not
> the function that was pre-empted. That got me thinking: Is there such a
> thing as "conditional signal safety"?
There's not, because it requires too fine-grained constraint of
implementation internals; my understanding is that this is the reason
both on the standards side (where they're rightfully opposed to
specifying anything about the interaction of internals) and on the
musl implementation side (where we don't want to preclude interactions
that have no obvious reason to exist but that are needed to fix subtle
problems -- see for example the interaction between sigaction and
abort).
> dladdr() takes a rwlock in read mode. At the moment, this means it can
> only block if the lock is write locked, which only dlopen() will ever
> do. dladdr() does nothing else that would impede signal safety. But of
> course, these are implementation details. What is actually defined about
> the interface?
Nothing further. Documenting the behavior of nonstandard extension
functions musl supports is on the agenda, but I don't think
documenting properties that are consequences of implementation
internals would be part of it except possibly as part of a "hacking"
document for use in debugging with tools that aren't stable interface
guarantees.
Rich
next prev parent reply other threads:[~2019-06-29 16:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-29 5:54 Markus Wichmann
2019-06-29 9:33 ` Szabolcs Nagy
2019-06-29 16:49 ` Rich Felker [this message]
2019-07-01 4:21 ` Florian Weimer
2019-07-01 14:06 ` Rich Felker
2019-07-01 15:55 ` Florian Weimer
2019-07-01 16:13 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190629164945.GL1506@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).