From patchwork Tue Jul 23 13:41:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 813951 Delivered-To: patch@linaro.org Received: by 2002:adf:f288:0:b0:367:895a:4699 with SMTP id k8csp2322622wro; Tue, 23 Jul 2024 06:42:56 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW+6hdzupg8MT09AKd/4ADTWMgcq7Vt32v1ZMKPv+94QKx8hhZ4oX/CaqKfjXx1dtCJK4YTJMDYyvYFw40Gyvkz X-Google-Smtp-Source: AGHT+IFYclKrU/90uptyyaRrSot2wKVizUtVhIGHB2xlF5k1S/n735VEAR4j7G/DGtq9fggEdF+K X-Received: by 2002:a05:622a:2c6:b0:447:f292:e4b5 with SMTP id d75a77b69052e-44fc7eddee3mr38453651cf.9.1721742175750; Tue, 23 Jul 2024 06:42:55 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1721742175; cv=pass; d=google.com; s=arc-20160816; b=eAruVHcnYizlIbLyYCUPPBnUBvziaGxnGi4EgXb9zSHEDflaLuvkOyxckV1G8kxxlU XEWFkNvyFCg5fvohypl9fYXOwuev9+LCS5mXPH4kvd2LW/05pdAsPJZRkdQQZqOiaSQt cnnxvmIhZHsUgMpsdUvjNmUIT76HB300zoY1Shu2ofprJS1GyNA06L8jC8FSFyA7V+oF Wsj3w7SBV7LwtqWmpFLeX/7eCnt5rxoT620guX6HNUlvZFKvUiRlKfATYuZzakGqQO3L a6UOqChJYnw83v2Qm4DjBlxHhf5RZ9S6h+qkqX+eoPKZucOXfd+h/WfwGczL5eRuwlBl zWCQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=bNBF6yhSDT3i8hrc5gJVUNMQJKsJ2nTv//XnwW2kcS0=; fh=FrIIm/QnOE7OXYy+gkIIpqXil55ZUjyK4D4YjoZapbQ=; b=j/8XF1YWZmbZeQmw8ZePgB+D2pDRKUpnPkc0fFybX1equLtMnvJDtU9DIjdeGtCU31 MMxhh1eW+3GgsD5RIErj7CQkggEj7M+BPB2ARDz8wn5a6WDmpipDuAY3IhXaWGsdvInO eFhUlv38yNB38EVKr+EU53OyxeIQO+1E2d4QF5DrKptD8pq+5o5k+mVE9hOzpDvNbYoo QTLwIt4mNcHLTLlW/Xj2MlygEQqrSLg+PS5DX3id2GM6XGYlJ1Un+ulDQwSllN9kjLVh 3BhkVV1H0iU5icNZ2qA00VX8yParHPNm7yOvb5yHhlBXwiV6sYgnuocS6B24WG2zGJmi SYsg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=OKV77opZ; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id d75a77b69052e-44f9cdba00bsi103647571cf.328.2024.07.23.06.42.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jul 2024 06:42:55 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=OKV77opZ; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 4F9933861029 for ; Tue, 23 Jul 2024 13:42:55 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) by sourceware.org (Postfix) with ESMTPS id B55133858C98 for ; Tue, 23 Jul 2024 13:42:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B55133858C98 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B55133858C98 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::430 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721742164; cv=none; b=w3CglkDYK/1VWcENLnagLvlBswYjPRkdRGOtB6hjFXFXQ3mdqbdOODNIGVGm+yzw7TYwO7y4bEOXv5RXaE0xhp1iRHMh51tLDihaAMfWPOiXR4nPhdgknIPxJx7ucLDNGaVXJiI15qpZSZKqVKEIQbPVAfsoSIuDZEQ9srQ8kAQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721742164; c=relaxed/simple; bh=BIRX3MG9tEhdavOSx79n9TEWAcI/epN2Nyy9FhpVAM4=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=Ohmgv2bV+9VX0h6iqtLZ/DDYLuHc6QqjmqDkIpYdksw9Hzl9Y33de5k4O0+JdhCY+1YtVwjmcu0SDo+hX5sxFoYKJq/lY3dFxGJW1k5IiwbVOesyP69Kp8DZRpxCcvntzHQ/Qh63H0+SCdFwEGCZodK7f7sgqbp/oSX/5frIPKs= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-70d1d6369acso1690485b3a.0 for ; Tue, 23 Jul 2024 06:42:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1721742160; x=1722346960; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=bNBF6yhSDT3i8hrc5gJVUNMQJKsJ2nTv//XnwW2kcS0=; b=OKV77opZWCEnQxzW2wnMmZMWgA9LNJWOlhYnc2P/FqvCglC9IddcfNKT8fqXVIOdGi RdbL4nCwG2kXyoLztvV/3aBx4QJJXBBvRwdPO8rFUbMZ7jkAQH00SZEToUBFkrrgcC/T iX1oIWBPUAlnUsl412SW6XxtoDZAQjKLa/b0GapgBkONIOSe+etbYjc9sF+p0lPTNgZt cUU4xaESxR7dbQid/x3SWHeju7CuNNgYxjpAjqrePJruWHiZIB5TbPdJR8XFJzDgPx2L HkwUWXKmF+8/YGYkPxjPbJbBa3oadr5WjbjicaVAY6PCGXSreLNo0cjdDzFDADb5uWgY Xl2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721742160; x=1722346960; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bNBF6yhSDT3i8hrc5gJVUNMQJKsJ2nTv//XnwW2kcS0=; b=aaAeQdS5scmYCqX2QcBlu2TAcL6UzSG2kSneHahq8X3XHmpmUyQqnh2yIRQajiTSxL Xvn8znRz83CL6I+k3xl5068IIKF8DD2VqpZQJFu9hgxEW9sqHz25QZSsDgMAiU1PPjNY WXUPohLr7/tGPX51KRNqxC4UxRLkDCMPGBqRLP5CTchP6Q0+luM6IzNrsu4BsNL+RFPH O9t4z7v4DVMNVhrt67w/BlRCOKLbJGhVflWrjmBXQ35Jt+w2H6K/Z0JPa0v+jJAucVFm M9/+s6OvW0RmyjaNw/5rG/HvaYD1VzOPzgy859yolQY1UQgBaVuQLsXoQ538tEoUN90i JECg== X-Gm-Message-State: AOJu0YwNZ2FXWAH0MnvNf+q1+8vyKZaXh+o/nvPB9lM/5CBImqgR1IoF wxrzn7J53WWogTk8UuVPqraqgb3+tvm8G/Te3QEcqfMJQ9vC0hHrrvyHmTOA7okZChQXvV74BqI j X-Received: by 2002:a05:6a00:4d03:b0:70d:3362:7d31 with SMTP id d2e1a72fcca58-70e8089a08amr3156828b3a.11.1721742160168; Tue, 23 Jul 2024 06:42:40 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c0:842a:1aa9:89f1:3b40:9ac]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-79f0af5e635sm6321269a12.22.2024.07.23.06.42.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jul 2024 06:42:39 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org, Carlos O'Donell , Florian Weimer Subject: [PATCH v2 0/2] Make abort AS-safe Date: Tue, 23 Jul 2024 10:41:47 -0300 Message-ID: <20240723134235.1520483-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org POSIX states that abort should be AS-safe, and Rust also had an open PR about it [1] (it was closed with a different fix). The main issue is the recursive lock used on abort does not synchronize with new process creation (either by fork-like interfaces or posix_spawn ones), nor it is reinitialized after fork. Also, the SIGABRT unblock before raise shows another race condition, where a fork or posix_spawn call by another thread just after the recursive lock release and before raising SIGABRT might create a new process with a non-expected signal mask. To fix the AS-safe, the raise is issued without changing the process signal mask, and an AS-safe lock is used if a SIGABRT is installed or the process is blocked or ignored. With the signal mask change removal, there is no need to use a recursive lock. The lock is also used on both _Fork and posix_spawn, to avoid the spawn process to see the abort handler as SIG_DFL. This change was not fully possible with previous POSIX standard (2008), where it stated that: The abort() function shall override blocking or ignoring the SIGABRT signal. And The SIGABRT signal shall be sent to the calling process as if by means of raise() with the argument SIGABRT. The later has been changed with a new clarification [3]: The SIGABRT signal shall be sent to the calling [CX]thread[/CX] as if by means of raise() with the argument SIGABRT. [CX]If this signal does not terminate the process (for example, if the signal is caught and the handler returns), abort() may change the disposition of SIGABRT to SIG_DFL and send the signal (in the same way) again. If a second signal is sent and it does not terminate the process, the behavior is unspecified, except that the abort() call shall not return. The clone is also subjected to this issue, but since glibc does not do any internal metadata setup (as for fork-like function), this patch does not handle it for the symbol. I have not added a regression tests because, from previous Carlos's patch [2], hitting the code path to trigger the potential issue (fork just after abort has acquired the lock and reset SIGABRT handler) is not deterministic and it would generate a lot of development overhead. [1] https://github.com/rust-lang/rust/issues/73894#issuecomment-673478761 [2] https://sourceware.org/pipermail/libc-alpha/2020-September/117934.html [3] https://austingroupbugs.net/view.php?id=906#c5851 Changes from v1: - Rename de signal block and lock to __abort_lock_lock. - Improve comments on both abort, where the signal disposition can not be changed, and on posix_spawn on why it needs to take the abort lock. - Use gettid() on __pthread_raise_internal. - Added a NEWS entry for the setjmp fix. Adhemerval Zanella (2): setjmp: Use BSD sematic as default for setjmp stdlib: Make abort/_Exit AS-safe (BZ 26275) NEWS | 4 +- include/bits/unistd_ext.h | 3 + include/stdlib.h | 6 + manual/setjmp.texi | 14 +-- manual/startup.texi | 5 +- nptl/pthread_create.c | 3 +- nptl/pthread_kill.c | 11 ++ posix/fork.c | 2 + setjmp/setjmp.h | 5 - signal/sigaction.c | 15 ++- stdlib/abort.c | 131 ++++++++------------- sysdeps/generic/internal-signals.h | 27 ++++- sysdeps/generic/internal-sigset.h | 26 ++++ sysdeps/htl/pthreadP.h | 2 + sysdeps/nptl/_Fork.c | 9 ++ sysdeps/nptl/libc_start_call_main.h | 3 +- sysdeps/nptl/pthreadP.h | 1 + sysdeps/unix/sysv/linux/internal-signals.h | 9 ++ sysdeps/unix/sysv/linux/internal-sigset.h | 2 +- sysdeps/unix/sysv/linux/spawni.c | 8 +- 20 files changed, 174 insertions(+), 112 deletions(-) create mode 100644 sysdeps/generic/internal-sigset.h