Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200816012700.GV3265@brightrain.aerifal.cx>
Date: Sat, 15 Aug 2020 21:27:00 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: Restrictions on child context after multithreaded fork

On Sat, Aug 15, 2020 at 12:25:47PM -0400, Rich Felker wrote:
> On Sat, Aug 15, 2020 at 01:51:00PM +0200, Natanael Copa wrote:
> > xfce4-terminal was more or less completely useless so I had to add a workaround for it in two patches:
> > 
> > First uncover a useless setenv. Even the comment in the code says that it has no effect:
> > https://git.alpinelinux.org/aports/commit/community/vte3?id=ad687b01b2a5fa9d53fcd9d0ee3743882f3542b4
> > 
> > In the second patch I use some of the hunks in the upstream and replace malloc with alloca:
> > https://git.alpinelinux.org/aports/commit/community/vte3?id=161434fcb87807dae40dffdd332db1624b747bc7
> > 
> > After that xfce4-terminal becomes useable again.
> 
> I'm not sure whether the alloca is safe. The parent could just do this
> allocation *before fork* rather than waiting til the last minute to do
> it. The data does not change between fork and exec. Note that the glib
> fix cited above did this right.
> 
> The hardcoded fallback for fd limit seems like a bad idea, and I don't
> think I understand your fallback sequence. It looks like RLIM_INFINITY
> gets reinterpreted as 4096. I'm not sure how it should be interpreted;
> in principle, probably as INT_MAX+1U. This is again exposing how the
> whole "close-all" idiom is horribly wrong and these libraries should
> just be documenting that you must use O_CLOEXEC correctly if you don't
> want them to leak file descriptors.

Fortunately it looks like Linux doesn't let you set RLIM_INFINITY for
RLIM_NOFILE. The value of the rlimit is limited by sysctl fs.nr_open,
and fs.nr_open is limited between sysctl_nr_open_min (==BITS_PER_LONG)
and sysctl_nr_open_max. The latter is INT_MAX/8*8 on 64-bit archs, and
SIZE_MAX/16*4 on 32-bit archs. But in any case, on Linux, you can rely
on sysctl(_SC_OPEN_MAX) to give an actual meaningful number that fits
in the range of long, not -1/unlimited, and thus the invalid fallback
case is never hit.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.