Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190625232617.GK1506@brightrain.aerifal.cx>
Date: Tue, 25 Jun 2019 19:26:17 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: seccomp causes pthread_join() to hang

On Wed, Jun 26, 2019 at 12:18:05AM +0100, Radostin Stoyanov wrote:
> Hello,
> 
> In the test suite of CRIU [1] we have noticed an interesting bug
> which is caused by commit 8f11e6127fe93093f81a52b15bb1537edc3fc8af
> ("track all live threads in an AS-safe, fully-consistent linked
> list") [2].
> 
> When seccomp is used in a multithreaded application it may cause
> pthread_join() to hang.
> 
> This is a minimal application to reproduce the issue:
> 
> 
> #include <errno.h>
> #include <seccomp.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <pthread.h>
> #include <unistd.h>
> 
> static void *fn()
> {
>     scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
>     if (!ctx) {
>         perror("seccomp_init");
>         goto err;
>     }
> 
>     if (seccomp_load(ctx) < 0) {
>         perror("seccomp_load");
>         goto err;
>     }
> 
>     /* This should cause SIG_KILL */
>     getpid();
> err:
>     return (void *)1;
> }
> 
> int main()
> {
>     pthread_t t1;
> 
>     if (pthread_create(&t1, NULL, fn, NULL)) {
>         perror("pthread_create");
>         return -1;
>     }
> 
>     if (pthread_join(t1, NULL)) {
>         perror("pthread_join");
>         return -1;
>     }
> 
>     return 0;
> }
> 
> 
> Expected behaviour: Thread t1 should receive SIG_KILL and the main
> thread should return 0.
> Actual behaviour: pthread_join() hangs.
> Reproducibility: Always
> Regression: Yes
> 
> 
> This bug can be reproduced with Alpine 3.10 ($ docker run -it
> alpine:3.10 sh).

A fundamental property of the pthread API, and part of why threads are
a much better primitive than processes for lots of purposes, is that
threads are not killable; only whole processes are. Any configuration
that results in a thread being terminated out from under the process
has all sorts of extremely dangerous conditions with memory/locks
being left in inconsistent state, tid reuse while the application
thinks the old thread is still alive, etc., and fundamentally can't be
supported. What you're seeing is exposure of a serious existing
problem with this seccomp usage, not a regression.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.