This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [RFC] Toward Shareable POSIX Signals

From: Zack Weinberg <zackw at panix dot com>
To: Rich Felker <dalias at libc dot org>
Cc: Daniel Colascione <dancol at dancol dot org>, Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
Date: Fri, 9 Mar 2018 16:05:03 -0500
Subject: Re: [RFC] Toward Shareable POSIX Signals
Authentication-results: sourceware.org; auth=none
References: <4b99c033-eebe-4b65-b347-272ca0188184@dancol.org> <5339dd78-989d-49df-32c8-5565c7d4e987@redhat.com> <7787d2cd671f7df30f019a3422387cbc.squirrel@dancol.org> <e57cb633-4f92-5447-7b94-0935c7ba947c@redhat.com> <daedca25-cf87-72e6-c486-cbdf31219df5@dancol.org> <20180309164137.GP1436@brightrain.aerifal.cx> <CAKCAbMgJ1unHfO-05Qzk2YDpq+_vLrK2HceO0Te_JnX9YmTCgA@mail.gmail.com> <20180309202524.GT1436@brightrain.aerifal.cx>

On Fri, Mar 9, 2018 at 3:25 PM, Rich Felker <dalias@libc.org> wrote:
> On Fri, Mar 09, 2018 at 02:30:51PM -0500, Zack Weinberg wrote:
>> > "Just use glib" is of course fundamentally unacceptable. But the
>> > obvious solution is "just use threads" and I don't see why that's not
>> > acceptable. The cost of a thread is miniscule compared to the cost of
>> > a child process, and threads performing synchronous waitpid can
>> > convert the result into whatever type of notification (poll wakeup,
>> > cond var, synchronous handling, etc.) you like.
>>
>> The main problem I see with this idea is, a thread waiting for _any_
>> process can steal the event from a thread waiting for a specific
>> process; this makes it nonviable for any situation where you don't
>
> I never proposed using a thread that calls wait or waidpid with a
> negative argument, rather one thread per child. As long as there is no
> rogue thread in the program doing wait-any,

My point here is that a library author cannot assume there is no such
"rogue thread".

>> I've also
>> dug into Breakpad a little, but that is a debugger at heart, and it
>> would be well-served by a mechanism where the kernel would
>> automatically spawn a ptrace supervisor instead of delivering a fatal
>> signal.  (This would also allow us to kick core dump generation out of
>> the kernel.)
>
> This is a very bad idea. Introspective crash logging/reporting is a
> huge gift to attackers. If an attacker has compromised a process in a
> manner to cause it to segfault, they almost surely have enough control
> over the process state to force the handler to perform code execution
> for them. There have been real-world CVEs along these lines.

That is a problem for Breakpad _as it is today_, but it should not be
a problem for a hypothetical out-of-process ptrace monitor that the
kernel spawns after freezing the process that was about to take a
fatal sync signal.

You can almost fake this today by starting up the ptrace monitor with
the monitored child; the main issue I'm aware of is that the monitor
will get woken up every time the child takes any signal at all, which
makes signal handling even costlier than it already is, and figuring
out whether the child was about to be _killed_ by the signal is a
PITA.

zw

References:
- [RFC] Toward Shareable POSIX Signals
  - From: Daniel Colascione
- Re: [RFC] Toward Shareable POSIX Signals
  - From: Florian Weimer
- Re: [RFC] Toward Shareable POSIX Signals
  - From: dancol
- Re: [RFC] Toward Shareable POSIX Signals
  - From: Florian Weimer
- Re: [RFC] Toward Shareable POSIX Signals
  - From: Daniel Colascione
- Re: [RFC] Toward Shareable POSIX Signals
  - From: Rich Felker
- Re: [RFC] Toward Shareable POSIX Signals
  - From: Zack Weinberg
- Re: [RFC] Toward Shareable POSIX Signals
  - From: Rich Felker

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]