From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 28200 invoked from network); 1 Oct 2020 15:29:03 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 1 Oct 2020 15:29:03 -0000 Received: (qmail 32228 invoked by uid 550); 1 Oct 2020 15:29:01 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 32210 invoked from network); 1 Oct 2020 15:29:00 -0000 Date: Thu, 1 Oct 2020 11:28:48 -0400 From: Rich Felker To: Florian Weimer Cc: musl@lists.openwall.com, Carlos O'Donell via Libc-alpha Message-ID: <20201001152847.GP17637@brightrain.aerifal.cx> References: <20200927141952.121047-1-carlos@redhat.com> <871rinm1fx.fsf@mid.deneb.enyo.de> <20200928234833.GC17637@brightrain.aerifal.cx> <87d025jcn0.fsf@mid.deneb.enyo.de> <20200929144207.GD17637@brightrain.aerifal.cx> <20201001023018.GL17637@brightrain.aerifal.cx> <87o8lmeaw7.fsf@mid.deneb.enyo.de> <20201001143918.GN17637@brightrain.aerifal.cx> <87o8lmhtgo.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87o8lmhtgo.fsf@oldenburg2.str.redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] Re: [PATCH] Make abort() AS-safe (Bug 26275). On Thu, Oct 01, 2020 at 05:11:19PM +0200, Florian Weimer wrote: > * Rich Felker: > > > On Thu, Oct 01, 2020 at 08:08:24AM +0200, Florian Weimer wrote: > >> * Rich Felker: > >> > >> > Even without fork, execve and posix_spawn can also see the SIGABRT > >> > disposition change made by abort(), passing it on to a process that > >> > should have started with a disposition of SIG_IGN if you hit exactly > >> > the wrong spot in the race. > >> > >> My feeling is that it's not worth bothering with this kind of leakage. > >> We've had this bug forever in glibc, and no one has complained about > >> it. > >> > >> Carlos is investigating removal of the abort lock from glibc, I think. > > > > I don't think that's a good solution. The lock is really important in > > that it protects against serious wrong behavior *within the process* > > like an application-installed signal handler for SIGABRT getting > > called more than once. > > I think glibc currently has this bug. We only avoid it for abort, but > I'm not sure if it's a bug to handle the handler multiple times if abort > is called more than once. I don't see anything in the spec that allows for the signal handler to be called multiple times. The signal is raised (thereby following normal semantics for if/how signal handler runs), and if a handler runs and returns, the process is then required to terminate abnormally as if by SIGABRT. This isn't a license to execute the signal handler again or do other random observable things. > But even for the more general case (threads call sigaction to install a > SIGABRT handler): Do we actually need a lock there? We reach this state > only after raise (SIGABRT) has returned. At this point, we can set a > flag (not a lock), and every other thread that calls signal or sigaction > would instead perform the late-stage SIG_DFL-for-SIGABRT part of abort? > It probably still needs some fiddling with sigprocmask. There's a race between checking the flag and acting on it. If thread A has already called signal(SIGABRT,foo) and gotten past the "are we aborting?" check, then thread B calls abort(), thread A can reset the disposition of SIGABRT to foo after thread B sets it to SIG_DFL, but before thread B re-raises, unblocks, and acts on the signal. Rich