|
Message-ID: <f368f992-9c4c-8b7f-7b0e-39e39c27ebf7@ispras.ru> Date: Fri, 8 Feb 2019 21:14:48 +0300 From: Alexey Izbyshev <izbyshev@...ras.ru> To: Rich Felker <dalias@...c.org>, musl@...ts.openwall.com Subject: Re: __synccall: deadlock and reliance on racy /proc/self/task On 2/7/19 9:36 PM, Rich Felker wrote: >> For some reason __synccall accesses the list without a barrier (line >> 120), though I don't see why one wouldn't be necessary for correct >> observability of head->next. However, I'm testing on x86_64, so >> acquire/release semantics works without barriers. > > The formal intent in musl is that all a_* are full seq_cst barriers. > On x86[_64] this used to not be the case; we just used a normal store, > but that turned out to be broken because in some places (and > apparently here in __synccall) there was code that depended on a_store > having acquire semantics too. See commit > 3c43c0761e1725fd5f89a9c028cbf43250abb913 and > 5a9c8c05a5a0cdced4122589184fd795b761bb4a. > > If not for this fix, I could see this being related (but again, it > should see it after timeout anyway). But since the barrier is there > now, it shouldn't happen. Thanks for the explanation about a_store(). I didn't know that it has seq_cst semantics. However, I was talking about a barrier between loads of head and cp->tid/cp->next: for (cp = head; cp && cp->tid != tid; cp=cp->next); In my understanding, we need consume semantics to observe correct values of tid and next after we load head. If we don't take Alpha into account, it probably works without barriers on most current architectures, however, I don't know what policy musl has for such cases. >> Of course, the larger problem remains: if we may miss some threads >> because of /proc, we may fail to call setuid() syscall in those >> threads. And that's indeed easily happens in my second test >> (attached: test-setuid-mismatch.c; expected to be run as a suid >> binary; note that I tested both with and without "presignalling"). > > Does it work if we force two iterations of the readdir loop with no > tasks missed, rather than just one, to catch the case of missed > concurrent additions? I'm not sure. But all this makes me really > uncomfortable with the current approach. I've tested with 0, 1, 2 and 3 retries of the main loop if miss_cnt == 0. The test eventually failed in all cases, with 0 retries requiring only a handful of iterations, 1 -- on the order of 100, 2 -- on the order of 10000 and 3 -- on the order of 100000. > >> Both tests run on glibc (2.27) without any problem. > > I think glibc has a different problem: there's a window at thread exit > where setxid can return success without having run the id change in > the exiting thread. In this case, assuming an attacker has code > execution in the process after dropping root, they can mmap malicious > code over top of the thread exit code and obtain code execution as > root. Yes, it appears to be true: glibc won't signal a thread if it's marked as exiting [1, 2]. [1] https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/allocatestack.c;h=d8e8570a7d9b9622309555b03cc98b3dd22e11c9;hb=HEAD#l1035 [2] https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/allocatestack.c;h=d8e8570a7d9b9622309555b03cc98b3dd22e11c9;hb=HEAD#l1075 Alexey
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.