public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "tom dot honermann at oracle dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sources.redhat.com Subject: [Bug libc/4737] fork is not async-signal-safe Date: Tue, 11 Nov 2008 21:35:00 -0000 [thread overview] Message-ID: <20081111213433.6816.qmail@sourceware.org> (raw) In-Reply-To: <20070704013541.4737.nmiell@comcast.net> ------- Additional Comments From tom dot honermann at oracle dot com 2008-11-11 21:34 ------- (In reply to comment #6) Thank you for your comments Nicholas. > The purpose of aborting on detection of heap corruption is to prevent deliberate > heap corruption attacks. As such, allowing further use of the allocator after > detection of corruption has the potential to open up security holes that the > fail fast behavior designed to prevent. I agree that aborting the process when heap corruption is detected is a very good thing. I also agree with preventing further use of the allocator after heap corruption has been detected. However, those issues are different concerns than what has been reported in this bug report. > > Furthermore, being async-signal-safe requires that fork be callable from any > signal handler at any time, which means that in addition to being able to fork > from a SIGABRT resulting from heap corruption, we must also be able to fork from > e.g. a SIGALRM handler that can interrupt the allocator at any time. POSIX requires fork to be callable from any signal handler at any time - which includes the contexts which you described. Note that it would be a violation of POSIX for the signal handler (either before or after calling fork) to call heap routines. None of the heap routines (malloc, free, etc...) are required to be async-signal-safe. All functions called by a signal handler must be async-signal-safe - which means that any attack of the heap through manipulation of a signal handler that calls heap routines would already constitute a defect in the signal handler (ie, that it called heap routines at all). The security issue in that case would be the defect in the signal handler, not that fork was async-signal-safe. > > As such, making the mutexes recursive would allow > malloc-from-fork-from-signal-handler to potentially see inconsistent allocator > state and lead to heap corruption or other errors. This is true - but would constitute a POSIX violation since heap routines are not async-signal-safe. > > fork probably needs to stop allocating memory at all. fork doesn't allocate memory - it isn't permitted to (at least, not via the heap) due to the async-signal-safe requirement. The problem reported here is that calls to fork will hang indefinitely if fork is called from a signal handler while the executing thread holds one of the heap mutexes. This hang happens even if the signal handler never calls a heap routine. The fact that fork locks all heap related mutexes is a very important feature for when fork is called from outside of a signal handler (since in that case, the forked child may go on to use the heap). However, it breaks fork from a signal handler by attempting to acquire mutexes that are not needed for the parent/child processes running in the context of the signal handler. -- http://sourceware.org/bugzilla/show_bug.cgi?id=4737 ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
next prev parent reply other threads:[~2008-11-11 21:35 UTC|newest] Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top 2007-07-04 1:35 [Bug libc/4737] New: " nmiell at comcast dot net 2008-10-11 18:47 ` [Bug libc/4737] " morten+sources dot redhat dot com at afdelingp dot dk 2008-10-20 11:47 ` morten+sources dot redhat dot com at afdelingp dot dk 2008-10-21 5:13 ` nmiell at comcast dot net 2008-10-30 14:55 ` morten+sources dot redhat dot com at afdelingp dot dk 2008-11-05 9:00 ` tom dot honermann at oracle dot com 2008-11-05 9:57 ` tom dot honermann at oracle dot com 2008-11-06 23:10 ` nmiell at comcast dot net 2008-11-07 1:10 ` morten+sources dot redhat dot com at afdelingp dot dk 2008-11-11 21:35 ` tom dot honermann at oracle dot com [this message] 2008-11-11 21:41 ` tom dot honermann at oracle dot com 2008-11-11 22:04 ` tom dot honermann at oracle dot com 2008-11-18 22:30 ` tom dot honermann at oracle dot com 2008-11-18 23:45 ` rsa at us dot ibm dot com 2008-11-18 23:57 ` rsa at us dot ibm dot com 2008-11-19 1:39 ` tom dot honermann at oracle dot com 2008-11-19 16:23 ` rsa at us dot ibm dot com 2009-01-14 1:22 ` tom dot honermann at oracle dot com 2009-01-14 8:46 ` jakub at redhat dot com 2009-01-14 9:44 ` tom dot honermann at oracle dot com 2009-01-16 17:19 ` tom dot honermann at oracle dot com [not found] <bug-4737-131@http.sourceware.org/bugzilla/> 2011-10-13 17:53 ` llucax at gmail dot com 2011-10-13 17:54 ` llucax at gmail dot com 2011-10-13 17:56 ` llucax at gmail dot com 2011-10-14 14:06 ` bugdal at aerifal dot cx 2012-03-27 13:43 ` krebbel1 at de dot ibm.com 2012-04-11 7:58 ` aj at suse dot de 2014-02-16 19:42 ` jackie.rosen at hushmail dot com 2014-05-28 19:41 ` schwab at sourceware dot org 2014-08-25 2:25 ` naesten at gmail dot com 2015-05-07 15:27 ` gbenson at redhat dot com 2021-06-28 19:00 ` adhemerval.zanella at linaro dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20081111213433.6816.qmail@sourceware.org \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sources.redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).