Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <alpine.LRH.2.20.1607031237430.3868@s1.palsenberg.com>
Date: Sun, 3 Jul 2016 12:43:59 +0200 (CEST)
From: Igmar Palsenberg <igmar@...senberg.com>
To: musl@...ts.openwall.com
Subject: Re: abort() fails to terminate PID 1 process


> > That rule doesn't apply to pid 1 by default. Pid 1 should be a proper init 
> > system, not a full blows application that makes the system blow up on 
> > every error.
> 
> abort is specified to terminate the process no matter what.

Yes. But like mentioned : pid 1 is an exception to this.

> For it to
> ever be able to return is a serious bug since both the compiler and
> the programmer can assume any code after abort() is unreachable.

This specific case talked about pid 1. pid 1 has kernel protection, normal 
userspace processes don't. In that case, the normal assumptions don't hold 
up.

> At
> present musl avoids this worst-case failure (wrongfully returning)
> with an infinite loop, but that's just a fail-safe. The intent is that
> it terminate, and in particular, terminate abnormally as specified,
> which we don't do enough to guarantee (SIGKILL is not "abnormal"
> termination). So there's definitely work to be done to fix this. It's
> an issue I've been aware of for a long time but the kernel makes it
> painful to reliably produce abnormal termination without race
> conditions.

Can this even be reproduced under normal circumstances (aka : not pid 1) ? 
If thes, then I agree : It's a bug. If no : Then not. If people have a 
broken container init system, then it breaks and they keep the pieces.
 

> > Well, normally abort() does some signal magic, and then raises again. 
> > Which is what POSIX mandates I think.
> 
> To make this work reliably I think we need to make abort() take a lock
> the precludes further calls to sigaction prior to re-raising SIGABRT
> and resetting the disposition. But there are all sorts of
> complications to deal with. For example if another thread performs
> posix_spawn for fork and exec concurrent with abort() munging the
> disposition of SIGABRT, the child process could start with the wrong
> disposition for SIGABRT, which would be non-conforming. Finding ways
> to fix all places where the wrong behavior may be observable is a
> nontrivial problem.

Does the whole guaranteed termination also includes threaded programs ?
 
> > If you're pid 1 however, you should behave like one.
> 
> I tend to agree, but if you're libc you should also behave as
> specified, and currently we don't in this regard.

Sure, but like mentioned : Normal rules don't apply to pid 1.



Igmar

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.