Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <6691B8FB.1040403@gmail.com>
Date: Fri, 12 Jul 2024 18:15:07 -0500
From: Jacob Bachmeyer <jcb62281@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: backtrace_symbols() misuse by Ceph and its supposedly-safe
 use

Alexander Patrakov wrote:
> [...]
> What would be a good solution (as in: something that does not convert
> crashes into deadlocks) here? I understand that, after memory
> corruption, we are already in the UB territory, but is there anything
> better possible than what is implemented?

I would suggest a monitor daemon that runs GDB to get the backtrace.  
The simplest way to do this would require Ceph to have its own 
supervisor (not unique; PostgreSQL has long had a "postmaster" process 
that manages the worker "postgres" backend processes) and provide each 
daemon with a pipe back to the supervisor; the fatal error handler need 
only write(2) to the pipe from a static string and/or fixed buffer (to 
report a signal number) and then enter an infinite loop; the supervisor 
then kills the crashed process, possibly after attaching GDB and 
collecting a backtrace.

Alternately, simply run the Ceph daemons with `ulimit -c` nonzero and 
collect the core files.  The core files can be analyzed using GDB after 
the fact.  No dedicated supervisor needed here, only kernel facilities.

The central problem here, as I understand it, is trying to do too much 
in a process that has gone into undefined behavior.  Attaching GDB or 
dumping a core file both sidestep that problem.


-- Jacob

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.