From patchwork Thu Aug 3 17:34:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1816597 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=XOCo8w8x; dkim-atps=neutral Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RGww64LHQz1yYC for ; Fri, 4 Aug 2023 03:35:02 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 266673857B98 for ; Thu, 3 Aug 2023 17:35:00 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 266673857B98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1691084100; bh=0P8UmRZVlOAb8JPsdI+YSa4SejPT7qdonDtOK75tkrw=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=XOCo8w8xpaCDsbH39jVkvJxjNf+pDU9/vkjB+JUb9PTi/ii0axCk8Eoc4HhMzWkmO 6ShRhJYguPpmnI8Rkg4B60EX996GDRzCNUPdlOhiJGlJ6MCHV0zQiCLckowY3L1Jab SvMRyEr+Bylob2RXSGThUwxkRSl67GeuJMxzr3WU= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) by sourceware.org (Postfix) with ESMTPS id 62FFE3858C30 for ; Thu, 3 Aug 2023 17:34:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 62FFE3858C30 Received: by mail-ot1-x334.google.com with SMTP id 46e09a7af769-6bcae8c4072so984357a34.1 for ; Thu, 03 Aug 2023 10:34:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691084081; x=1691688881; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0P8UmRZVlOAb8JPsdI+YSa4SejPT7qdonDtOK75tkrw=; b=YiFNNCddJh1COKJPyt1W0VZx4+auv3ZzZiEaYDQ2h3U5603mQg35s8tgs8MJATZMg0 UdHeD4TEsKrNAXDurcJ0YUAV+c4QxghtIEGxosHdKqN5Tcjt+Gnga1vKBCrRmQKYKtEd d/nQCLDo2HLSgGv0GAhSD/+X3GxgTY97mhYHyhUpdouQ/t4R11jgGLrB5OrB+34UhIHN 9beUl8fFZQjvLDSgoN6S0MTGkhwKHX0lMehr/mZrKpU+UcYip3G5hnT5lvMvUDwWDFpf z4IRR/argNSe/3iVuXkTAVJ7RZBx0lxn4Hz8Yi7I1e/fe9cSjFAC3OZEnzJLbZFjFh29 oXmg== X-Gm-Message-State: ABy/qLZkmB7HsqEAXRgw6Lt88JoZ5/se0n5L3b4NKF8xu8U7FCjJNc6a V6II9CHw+Oh1q4STnVSXqsRfKzId2JE/hLtTfFKjMw== X-Google-Smtp-Source: APBJJlEoTdgrPeBXKtvaVncOyqlr1B+utHIDMvnK1HsUYNgfYBZXq/0YfKzgpgJYwClc4CM0s55P0A== X-Received: by 2002:a05:6830:120e:b0:6b9:b8fe:bf73 with SMTP id r14-20020a056830120e00b006b9b8febf73mr17994359otp.7.1691084081094; Thu, 03 Aug 2023 10:34:41 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c1:9aa9:6a6b:da4a:374c:385a]) by smtp.gmail.com with ESMTPSA id l10-20020a9d7a8a000000b006b884bbb4f3sm215747otn.26.2023.08.03.10.34.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 10:34:40 -0700 (PDT) To: libc-alpha@sourceware.org, Carlos O'Donell , Florian Weimer Subject: [PATCH v2 0/2] Make abort AS-safe Date: Thu, 3 Aug 2023 14:34:34 -0300 Message-Id: <20230803173436.4146900-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-6.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Adhemerval Zanella via Libc-alpha From: Adhemerval Zanella Netto Reply-To: Adhemerval Zanella Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Sender: "Libc-alpha" Besides POSIX stating abort should be AS-safe, Rust also had an open PR about it [1] (it was closed with a different fix). The main issue is the recursive lock used on abort does not synchronize with new process creation (either by fork-like interfaces or posix_spawn ones), nor it is reinitialized after fork. Also, the SIGABRT unblock before raise shows another race-condition, where a fork or posix_spawn call by another thread just after the recursive lock release and before raising SIGABRT might create a new process with a non-expected signal mask. The requirement of SIGABRT handler being called even if the signals is blocked was changed by a POSIX defect [3] To fix the AS-safe, the raise is issued without changing the process signal mask, and an AS-safe lock is used if a SIGABRT is installed or the process is blocked or ignored. The the signal mask change removal, there is no need to use a recursive lock. The lock is also used on both _Fork and posix_spawn, to avoid the spawn process to see the abort handler as SIG_DFL. The clone is also subjected to this issue, but since glibc does not do any internal metadata setup (as for fork-like function), this patch does not handle it for the symbol. I have not added a regression tests because, from previous Carlos's patch [2], hitting the code path to trigger the potential issue (fork just after abort has acquired the lock and reset SIGABRT handler) is not deterministic and it would generate a lot of development overhead. [1] https://github.com/rust-lang/rust/issues/73894#issuecomment-673478761 [2] https://sourceware.org/pipermail/libc-alpha/2020-September/117934.html [3] https://austingroupbugs.net/view.php?id=906#c5851 Changes from v1: - Change __abort_lock_lock/__abort_lock_unlock to use a internal_sigset_t. - Improve comments. - Use gettid syscall on __pthread_raise_internal to work after vfork. Adhemerval Zanella (2): setjmp: Use BSD sematic as default for setjmp stdlib: Make abort AS-safe (BZ 26275) include/bits/unistd_ext.h | 3 + include/stdlib.h | 6 + manual/setjmp.texi | 14 +-- manual/startup.texi | 3 - nptl/pthread_create.c | 3 +- nptl/pthread_kill.c | 11 ++ posix/fork.c | 2 + setjmp/setjmp.h | 5 - signal/sigaction.c | 15 ++- stdlib/abort.c | 130 ++++++++------------- sysdeps/generic/internal-signals.h | 27 ++++- sysdeps/generic/internal-sigset.h | 26 +++++ sysdeps/htl/pthreadP.h | 2 + sysdeps/nptl/_Fork.c | 9 ++ sysdeps/nptl/libc_start_call_main.h | 3 +- sysdeps/nptl/pthreadP.h | 1 + sysdeps/unix/sysv/linux/internal-signals.h | 9 ++ sysdeps/unix/sysv/linux/internal-sigset.h | 2 +- sysdeps/unix/sysv/linux/spawni.c | 6 +- 19 files changed, 167 insertions(+), 110 deletions(-) create mode 100644 sysdeps/generic/internal-sigset.h