Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180917032317.GF17995@brightrain.aerifal.cx>
Date: Sun, 16 Sep 2018 23:23:17 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Replacing a_crash() ?

Now that we have an abort() that reliably terminates with uncatchable
SIGABRT, I've been thinking about replacing the a_crash() calls in
musl (which are usually an instruction generating SIGILL or SIGSEGV)
with calls to the uncatchable tail of abort(), which I would factor
off as a __forced_abort() function.

In case it's not clear, the reason for not just calling abort() is
that too many programs catch it, and catching it is even encouraged.
Catchability is a problem with the current approach too, since
a_crash() is used in places where process state is known to be
dangerously corrupt and likely under attacker control; eliminating it
is one of the potential goals of switching to __forced_abort().

Are there any objections to making such a change? So far I've gotten
mostly positive feedback -- SIGABRT is more telling of what's happened
than SIGSEGV/SIGILL. It would also get rid of the ugly misplacement of
a_crash() (no longer needed) in "atomic.h" and the inclusion of
"atomic.h" in some files where it makes no sense without knowing it's
where a_crash() is defined.

For i386, some nontrivial work would be needed to make abort's tail
perform syscalls with int $128 rather than the vdso, which is unsafe
since the pointer to it may have been subverted. On other archs,
inline syscalls are fully inline. I'd probably add a
NEED_FAILSAFE_SYSCALL macro to define before including "syscall.h" and
have arch/i386/syscall_arch.h adjust the asm string based on it; this
is more maintainable than writing an asm version of the function.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.