mirror of
https://sourceware.org/git/glibc.git
synced 2024-11-21 20:40:05 +00:00
d40ac01cbb
The recursive lock used on abort does not synchronize with a new process
creation (either by fork-like interfaces or posix_spawn ones), nor it
is reinitialized after fork().
Also, the SIGABRT unblock before raise() shows another race condition,
where a fork or posix_spawn() call by another thread, just after the
recursive lock release and before the SIGABRT signal, might create
programs with a non-expected signal mask. With the default option
(without POSIX_SPAWN_SETSIGDEF), the process can see SIG_DFL for
SIGABRT, where it should be SIG_IGN.
To fix the AS-safe, raise() does not change the process signal mask,
and an AS-safe lock is used if a SIGABRT is installed or the process
is blocked or ignored. With the signal mask change removal,
there is no need to use a recursive loc. The lock is also taken on
both _Fork() and posix_spawn(), to avoid the spawn process to see the
abort handler as SIG_DFL.
A read-write lock is used to avoid serialize _Fork and posix_spawn
execution. Both sigaction (SIGABRT) and abort() requires to lock
as writer (since both change the disposition).
The fallback is also simplified: there is no need to use a loop of
ABORT_INSTRUCTION after _exit() (if the syscall does not terminate the
process, the system is broken).
The proposed fix changes how setjmp works on a SIGABRT handler, where
glibc does not save the signal mask. So usage like the below will now
always abort.
static volatile int chk_fail_ok;
static jmp_buf chk_fail_buf;
static void
handler (int sig)
{
if (chk_fail_ok)
{
chk_fail_ok = 0;
longjmp (chk_fail_buf, 1);
}
else
_exit (127);
}
[...]
signal (SIGABRT, handler);
[....]
chk_fail_ok = 1;
if (! setjmp (chk_fail_buf))
{
// Something that can calls abort, like a failed fortify function.
chk_fail_ok = 0;
printf ("FAIL\n");
}
Such cases will need to use sigsetjmp instead.
The _dl_start_profile calls sigaction through _profil, and to avoid
pulling abort() on loader the call is replaced with __libc_sigaction.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>
124 lines
4.5 KiB
C
124 lines
4.5 KiB
C
/* Send a signal to a specific pthread. Stub version.
|
|
Copyright (C) 2014-2024 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<https://www.gnu.org/licenses/>. */
|
|
|
|
#include <libc-lock.h>
|
|
#include <unistd.h>
|
|
#include <pthreadP.h>
|
|
#include <shlib-compat.h>
|
|
|
|
/* Sends SIGNO to THREADID. If the thread is about to exit or has
|
|
already exited on the kernel side, return NO_TID. Otherwise return
|
|
0 or an error code. */
|
|
static int
|
|
__pthread_kill_implementation (pthread_t threadid, int signo, int no_tid)
|
|
{
|
|
struct pthread *pd = (struct pthread *) threadid;
|
|
if (pd == THREAD_SELF)
|
|
{
|
|
/* Use the actual TID from the kernel, so that it refers to the
|
|
current thread even if called after vfork. There is no
|
|
signal blocking in this case, so that the signal is delivered
|
|
immediately, before __pthread_kill_internal returns: a signal
|
|
sent to the thread itself needs to be delivered
|
|
synchronously. (It is unclear if Linux guarantees the
|
|
delivery of all pending signals after unblocking in the code
|
|
below. POSIX only guarantees delivery of a single signal,
|
|
which may not be the right one.) */
|
|
pid_t tid = INTERNAL_SYSCALL_CALL (gettid);
|
|
int ret = INTERNAL_SYSCALL_CALL (tgkill, __getpid (), tid, signo);
|
|
return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
|
|
}
|
|
|
|
/* Block all signals, as required by pd->exit_lock. */
|
|
internal_sigset_t old_mask;
|
|
internal_signal_block_all (&old_mask);
|
|
__libc_lock_lock (pd->exit_lock);
|
|
|
|
int ret;
|
|
if (pd->exiting)
|
|
/* The thread is about to exit (or has exited). Sending the
|
|
signal is either not observable (the target thread has already
|
|
blocked signals at this point), or it will fail, or it might be
|
|
delivered to a new, unrelated thread that has reused the TID.
|
|
So do not actually send the signal. */
|
|
ret = no_tid;
|
|
else
|
|
{
|
|
ret = INTERNAL_SYSCALL_CALL (tgkill, __getpid (), pd->tid, signo);
|
|
ret = INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
|
|
}
|
|
|
|
__libc_lock_unlock (pd->exit_lock);
|
|
internal_signal_restore_set (&old_mask);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* Send the signal SIGNO to the caller. Used by abort and called where the
|
|
signals are being already blocked and there is no need to synchronize with
|
|
exit_lock. */
|
|
int
|
|
__pthread_raise_internal (int signo)
|
|
{
|
|
/* Use the gettid syscall so it works after vfork. */
|
|
int ret = INTERNAL_SYSCALL_CALL (tgkill, __getpid (), __gettid(), signo);
|
|
return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
|
|
}
|
|
|
|
int
|
|
__pthread_kill_internal (pthread_t threadid, int signo)
|
|
{
|
|
/* Do not report an error in the no-tid case because the threadid
|
|
argument is still valid (the thread ID lifetime has not ended),
|
|
and ESRCH (for example) would be misleading. */
|
|
return __pthread_kill_implementation (threadid, signo, 0);
|
|
}
|
|
|
|
int
|
|
__pthread_kill (pthread_t threadid, int signo)
|
|
{
|
|
/* Disallow sending the signal we use for cancellation, timers,
|
|
for the setxid implementation. */
|
|
if (is_internal_signal (signo))
|
|
return EINVAL;
|
|
|
|
return __pthread_kill_internal (threadid, signo);
|
|
}
|
|
|
|
/* Some architectures (for instance arm) might pull raise through libgcc, so
|
|
avoid the symbol version if it ends up being used on ld.so. */
|
|
#if !IS_IN(rtld)
|
|
libc_hidden_def (__pthread_kill)
|
|
versioned_symbol (libc, __pthread_kill, pthread_kill, GLIBC_2_34);
|
|
|
|
# if OTHER_SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_34)
|
|
/* Variant which returns ESRCH in the no-TID case, for backwards
|
|
compatibility. */
|
|
int
|
|
attribute_compat_text_section
|
|
__pthread_kill_esrch (pthread_t threadid, int signo)
|
|
{
|
|
if (is_internal_signal (signo))
|
|
return EINVAL;
|
|
|
|
return __pthread_kill_implementation (threadid, signo, ESRCH);
|
|
}
|
|
compat_symbol (libc, __pthread_kill_esrch, pthread_kill, GLIBC_2_0);
|
|
# endif
|
|
#endif
|