This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/14750] New: Race condition in posix_spawn vfork usage vs signal handlers
- From: "bugdal at aerifal dot cx" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Sun, 21 Oct 2012 20:41:49 +0000
- Subject: [Bug libc/14750] New: Race condition in posix_spawn vfork usage vs signal handlers
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=14750
Bug #: 14750
Summary: Race condition in posix_spawn vfork usage vs signal
handlers
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: unassigned@sourceware.org
ReportedBy: bugdal@aerifal.cx
CC: drepper.fsp@gmail.com
Classification: Unclassified
When posix_spawn uses vfork, it does not block signals. This allows the parent
process's signal handlers to get invoked in the child process, corrupting the
parent process's state. For example:
1. Memory state will be as if the signal handler ran, but other state such as
signal dispositions, open files, etc. modified from the signal handler will not
be reflected in the parent.
2. The same signal (assuming the signal was sent to an entire process-group,
which is the main way a signal could arrive in the new child) may be processed
twice in the context of the parent process's memory space.
3. Properties of the child process (e.g. its pid) may end up stored in the
parent process's address space.
These are just a few examples; there should be plenty more ways things can go
wrong.
To fix the problem, the vfork/exec process needs to follow the steps below:
1. Mask all signals (including NPTL-internal ones)
2. vfork
3. In child, reset all signal dispositions to SIG_DFL unless the existing
disposition is SIG_IGN.
4. In child, restore the original signal mask.
5. In child, finish up and exec/_exit.
6. In parent, restore the original signal mask.
Note that step 3 would happen in kernelspace as part of exec anyway, but it
must be done explicitly in userspace to make it safe to unmask signals.
As an alternative, restoring the signal mask, and all of the post-fork work of
posix_spawn, could be outsourced to an external program, i.e. first exec
$prefix/libexec/posix_spawn, which would restore signals, perform the file
actions, etc.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.