From patchwork Mon Jul 31 17:18:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 55956 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 711EA385771A for ; Mon, 31 Jul 2023 17:19:33 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 711EA385771A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1690823973; bh=KysnCicgixL0maRJGI7FgpHUt+Z8kUUaJqcHfvUbbeM=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=wy4gWqIegyUq/Jpu/EINQWMnB3xjchzdFB5nf8xLdZX8ANJbgZ0erHmCrezJn0nh0 H5d+sDQS+6C+n4W1YckYY+LhzTVCRthGBRfJJTfFnzzEryDvDEZQSbmI/K6fapeuTq Ee9F/5OJIhqLqkms9D7Jeelyf35NGibYhBoc/hBI= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) by sourceware.org (Postfix) with ESMTPS id 03A083858CD1 for ; Mon, 31 Jul 2023 17:19:07 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 03A083858CD1 Received: by mail-oi1-x236.google.com with SMTP id 5614622812f47-3a36b52b4a4so2983619b6e.1 for ; Mon, 31 Jul 2023 10:19:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690823946; x=1691428746; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=KysnCicgixL0maRJGI7FgpHUt+Z8kUUaJqcHfvUbbeM=; b=VYsJDZobzzMM82QiyEq8BRcWkA3fn9Kyf9svfb4VsenOP6viMCyRUfxcyFLYhm8D0m DUtI7BSwPNqTBI+1KtUnly+LfcgvwLSukIA8wv60PR9IWocL0lYN4y1dS0fcLMF8v4hO 52c0nhfNIXxgj6YGmPxjCMfZMIEdwU3DpeK9yDsGCc7k+N4Rfow7PpUiww4QWqQh7z2O EyYjP9PeZIPi51OK2lQZtBEhuRka+Lq5UT+Ud7tjIVHu6SdBLZ/LwqU98EgkIuYkxKtt OIp8wmMvv2yASobDqFSCmHZQ3YgXfGQSd9hYI1vx8t5lUSderqpPA/eE9U4ASTEuTzId 32Ag== X-Gm-Message-State: ABy/qLaoxZxsqpH39wPRYem1hwzWIoKJRwq6gwYSyjLuRvlySGOcDC/w 36rhbJmOc7bbRb8PKGlt5ebgMe2uQhezEtQ54a5EaQ== X-Google-Smtp-Source: APBJJlEMboT9U/e3m0VIU4TVqRKmyZ7yJhxJWiOM9qtolfDlZzURIC4tJG7OUN7pVsCZZ9lxJRPpxA== X-Received: by 2002:a05:6808:16ab:b0:3a4:4993:eef9 with SMTP id bb43-20020a05680816ab00b003a44993eef9mr10891384oib.28.1690823945087; Mon, 31 Jul 2023 10:19:05 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c1:440b:68be:64f1:9a6f:2423]) by smtp.gmail.com with ESMTPSA id k16-20020a05680808d000b003a724566afdsm1560047oij.20.2023.07.31.10.19.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jul 2023 10:19:04 -0700 (PDT) To: libc-alpha@sourceware.org, Carlos O'Donell Subject: [PATCH 0/2] Make abort AS-safe Date: Mon, 31 Jul 2023 14:18:58 -0300 Message-Id: <20230731171900.4065501-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Adhemerval Zanella via Libc-alpha From: Adhemerval Zanella Netto Reply-To: Adhemerval Zanella Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" Besides POSIX stating abort should be AS-safe, Rust also had an open PR about it [1] (it was closed with a different fix). The main issue is the recursive lock used on abort does not synchronize with new process creation (either by fork-like interfaces or posix_spawn ones), nor it is reinitialized after fork. Also, the SIGABRT unblock before raise shows another race-condition, where a fork or posix_spawn call by another thread just after the recursive lock release and before raising SIGABRT might create a new process with a non-expected signal mask. To fix the AS-safe, the raise is issued without changing the process signal mask, and an AS-safe lock is used if a SIGABRT is installed or the process is blocked or ignored. The the signal mask change removal, there is no need to use a recursive lock. The lock is also used on both _Fork and posix_spawn, to avoid the spawn process to see the abort handler as SIG_DFL. The clone is also subjected to this issue, but since glibc does not do any internal metadata setup (as for fork-like function), this patch does not handle it for the symbol. I have not added a regression tests because, from previous Carlos's patch [2], hitting the code path to trigger the potential issue (fork just after abort has acquired the lock and reset SIGABRT handler) is not deterministic and it would generate a lot of development overhead. [1] https://github.com/rust-lang/rust/issues/73894#issuecomment-673478761 [2] https://sourceware.org/pipermail/libc-alpha/2020-September/117934.html Adhemerval Zanella (2): setjmp: Use BSD sematic as default for setjmp stdlib: Make abort AS-safe (BZ 26275) include/stdlib.h | 4 + manual/setjmp.texi | 14 +-- manual/startup.texi | 3 - nptl/pthread_create.c | 3 +- nptl/pthread_kill.c | 11 ++ posix/fork.c | 2 + setjmp/setjmp.h | 5 - signal/sigaction.c | 21 +++- stdlib/abort.c | 128 ++++++++------------- sysdeps/generic/internal-signals.h | 24 ++++ sysdeps/htl/pthreadP.h | 2 + sysdeps/nptl/_Fork.c | 12 ++ sysdeps/nptl/libc_start_call_main.h | 3 +- sysdeps/nptl/pthreadP.h | 1 + sysdeps/unix/sysv/linux/internal-signals.h | 9 ++ sysdeps/unix/sysv/linux/spawni.c | 3 + 16 files changed, 140 insertions(+), 105 deletions(-)