Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210717004131.GE13220@brightrain.aerifal.cx>
Date: Fri, 16 Jul 2021 20:41:31 -0400
From: Rich Felker <dalias@...c.org>
To: Ariadne Conill <ariadne@...eferenced.org>
Cc: musl@...ts.openwall.com, Timo Teras <timo.teras@....fi>
Subject: Re: option to enable eh_frame

On Fri, Jul 16, 2021 at 05:06:48PM -0500, Ariadne Conill wrote:
> Hello,
> 
> On Fri, 16 Jul 2021, Rich Felker wrote:
> 
> >On Fri, Jul 16, 2021 at 12:16:25PM +0300, Timo Teras wrote:
> >>Hi,
> >>
> >>This has been discussed few times, and I know there are arguments also
> >>not to do this. But at this time we at Alpine think the reasons to keep
> >>eh_frame outweight the reasons to not include it.
> >
> >As explained on the tracker issue, what you'r requesting is a patch to
> >make a configure option that changes the public interface contract of
> >musl, making different interface contract profiles. This is not a
> >change to be made lightly. There has been *some* consideration in the
> >past for accepting this kind of option in the opposite direction:
> >omitting large functionality that might not be needed in some contexts
> >(like iconv), but where the default is to have it and omitting it is
> >just a choice particular users can make for working in a very
> >constrained environment. But if you add the option, you're essentially
> >making "having it" the de facto default, even if configure has
> >"disable" as the default. Once something is using it, there's an
> >implicit requirement to have it.
> >
> >Honestly, proposing that it always be available (or configurable but
> >on by default) would be less controversial than a configure option.
> >I'd still be against it but at least some of the badness is gone.
> >
> >>Main arguments against .eh_frame being:
> >>
> >>1) Having .eh_frame makes it seem like C++ exception throwing works
> >>   through C-library functions (e.g. throwing exception form qsort
> >>   callback to return over qsort back to application).
> >>
> >>   Counter arguments:
> >>   - C++ exceptions is just one way to jump through musl functions.
> >>     E.g. setjmp/longjmp can do that just fine even without .eh_frame
> >>
> >>2) Having application unwind itself for backtrace printing purposes
> >>   especially in signal handler is bad. This is agreed, but there's
> >>   still other cases when unwinding is good for debugging, and other
> >>   reasons. The fix for this root cause is to remove the unwinding from
> >>   signal handlers.
> >
> >The debugger already can do debugging/unwinding because it has access
> >to the debug information (if you've installed it) and there is a
> >clear, understood-by-users contract that this information is not an
> >inherent part of the program but something optional for external
> >debugging tools only.
> >
> >>Arguments to have .eh_frame:
> >> - It allows debugging things even if musl-dbg is not or cannot be
> >>   installed for some reason (e.g. gdb, valgrind), or is no longer
> >>   available
> >> - libunwind/libexecinfo will start to work and give meaningful
> >>   backtraces
> >
> >This is explicitly a reason not to. backtrace() considered harmful.
> >
> >> - Continuous kernel based profiling (e.g. perf record -g dwarf) will
> >>   work
> >
> >This already works if you have debug info.
> >
> >>Given that the main arguments against are either making UB crash, or
> >>not the best fix, and keeping eh_frame enables useful features to work,
> >>I think it would make sense to allow enabling it.
> >>
> >>Please consider the the attached patch to make it a configure option to
> >>enable keeping eh_frame (defaulting still to not keeping it).
> >
> >You can solve this problem just as well for the things you want to
> >have work by including the (part of) the debug info you want in the
> >main libc.so binary: .debug_frame. Of course I can't stop Alpine from
> >doing it in a different way locally, but I would strongly recommend
> >you do that rather than making a contract that diverges from musl.
> 
> The problem is that Alpine users want backtrace(3) to work.  You

This is a very different narrative from the request I received to take
this patch. I'm concerned about that.

> consider it harmful, but users complain frequently.  We also want

Alpine is a security-oriented distribution. Doing introspective
debugging when a crash happens is *inviting* exploitation; the reason
that's the case has been discussed extensively before. Applications
trying to do this should be patched not to do it.

> C++ exception throwing across libc boundary to work, but admittedly
> that is a lot harder to achieve.

Do you have in mind some place where this would be remotely valid
usage? I don't mean per the spec, where it's never valid, but some
kind of "at least this makes sense someone could want to do it" sense.

There are only a few places where the application can even see an
environment called back from libc. Most of these are things like
comparison functions that are required to be pure. There is no way in
which throwing from them could ever make sense, because throwing is
not a pure operation. Another is things like enumeration callbacks.
Most of these necessarily have inconsistent state and/or resources
held that would be lost if you could asynchronously jump out of them,
and most of them have a way for the callback to request the operation
to stop. This means that if you want to use exceptions with them, the
top-level callback just has to catch the exception and convert it to a
return value. The same applies for things like fopencookie.

> I am concerned about the unilateral approach we have taken to enable
> backtrace(3) though, if we are forking the musl ABI, we probably
> will wind up forking the musl API too to add user-requested
> functionality.

This would be very unfortunate, and would make me actively recommend
against use of Alpine. One of the core values of musl is consensus
process, not attempts to unilaterally force something like this,
especially when it's been done in a way that feels misleading.
Communication with me/upstream musl started out as presenting this as
being about debugging, but it feels like that was a bait-and-switch
for getting something else.

> We (Alpine) should consider whether we actually want this.
> Historically, we have been able to find compromises that allow us to
> enable the user requests in a way that Rich finds acceptable.

Yes. As a distro, you oftentimes have users asking for something
that's wrong, that shouldn't exist. One core job of a maintainer -- a
distro maintainer too -- is saying no. Here, users seem to be asking
for something that makes software less secure, and that's not a
portable feature one can rely on having.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.