Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180925163850.GL17995@brightrain.aerifal.cx>
Date: Tue, 25 Sep 2018 12:38:50 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: setrlimit hangs the process

On Tue, Sep 25, 2018 at 05:36:05PM +0200, Szabolcs Nagy wrote:
> * Rabbitstack <rabbitstack7@...il.com> [2018-09-25 16:54:37 +0200]:
> > Sorry. Let me describe the problem in more detail.
> > 
> > The process only hangs when launched without root privileges on the host
> > (Arch Linux x64 with kernel 4.17.5-1) where Alpine docker container is
> > running. Once with root privileges, it starts up correctly (but this is
> > obvious since it doesn't hit setrlimit call). The odd side is that on other
> > hosts it hangs even when started with root. No error messages so far.
> > Strace output:
> > 
> > $ sudo strace -p 9285
> > 
> > futex(0x2cddfc0, FUTEX_WAIT_PRIVATE, 0, NULL
> > 
> > $ sudo strace -f -p 9285
> > 
> > .....
> > [pid  9287] getdents64(10, /* 14 entries */, 2048) = 336
> > [pid  9287] tgkill(9285, 9285, SIGRT_2) = 0
> > [pid  9287] futex(0x7efbff70008c, FUTEX_LOCK_PI_PRIVATE,
> > {tv_sec=1537887068, tv_nsec=51442144}) = -1 ETIMEDOUT (Connection timed out)
> 
> it looks like musl tries to sync a setuid call across
> all threads (which is necessary since the linux syscall
> only changes the uid for the current thread instead of
> all threads so you can end up with different privileges
> in the same address space which is dangerous as well as
> non-posix conform setuid behaviour)
> 
> it's possible that the setuid syncing is somehow wrong
> in musl, but it's more likely that there are threads
> that are not created by the c runtime (but from go) and
> thus the sync cannot possibly work.

It actually can kinda work with such threads. musl's stop-the-world
__synccall pokes all kernel-level threads in the same process (thread
group) as the caller using signals and /proc/self/task to ensure it
didn't miss any, so it will work as long as they haven't blocked
libc-internal signals. There may be problems with the thread pointer
being invalid, though. The __synccall framework itself does not use
the TCB, but other stuff in the callback might. This should probably
be fixed.

> so try to look for where set*id is called and ensure it
> is not called or called before any threads are created
> (or at least before any go threads are created)
> 
> note that syscall.Set*id from go does not work either,
> it does not sync the threads (which is dangerously
> broken for a runtime that's always multi-threaded).

Yep, that's unsafe to use. Any use is likely exploitable.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.