[Bug nptl/3270] New: Setuid implementation has races and lockups

[Bug nptl/3270] New: Setuid implementation has races and lockups

[drow at sources dot redhat dot com]

I discovered a problem with the existing code for __nptl_setxid.  It can set the
setxid bit in cancelhandling for a thread, and then fail to send it a signal,
leading to a lockup in start_thread during thread exit.  This can happen when
the thread's stack has been allocated (under stack_cache_lock) but the thread
has not yet been created, so TID is not set in the thread descriptor.

Similarly, __nptl_setxid can miss a thread being created just before its parent
is signalled, leaving that thread with the wrong UID.  There were also minor
problems, e.g. setxid_futex was never reset so the exit behavior was different
if the thread had experienced at least one prior setxid event during its lifetime.

I'll attach a patch and testcase.

-- 
           Summary: Setuid implementation has races and lockups
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nptl
        AssignedTo: drepper at redhat dot com
        ReportedBy: drow at sources dot redhat dot com
                CC: glibc-bugs at sources dot redhat dot com
  GCC host triplet: x86_64-pc-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[drow at sources dot redhat dot com]

------- Additional Comments From drow at sources dot redhat dot com  2006-09-27 15:38 -------
Created an attachment (id=1329)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=1329&action=view)
Testcase.

This test illustrates the problem, but not reliably.  I have to run about
twenty copies of it in parallel; some of them will exit after 3000 iterations,
others will remain blocked with one thread in pthread_join.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[drow at sources dot redhat dot com]

------- Additional Comments From drow at sources dot redhat dot com  2006-09-27 15:41 -------
Created an attachment (id=1330)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=1330&action=view)
Patch.

This patch fixes the problem; testsuite run on x86_64-pc-linux-gnu, no
regressions.  It makes the setuid path slightly slower but has no effect on the
non-setuid path, unlike my earlier attempts.

An earlier version of this patch with more assertions triggered this kernel
bug:
  http://bugzilla.kernel.org/show_bug.cgi?id=7210

A fix to that is not necessary for this version of the patch, but I recommend
it anyway.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[ismail at pardus dot org dot tr]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ismail at pardus dot org dot
                   |                            |tr


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[pwatkins at sicortex dot com]

------- Additional Comments From pwatkins at sicortex dot com  2008-02-12 22:33 -------
We seem to have hit this problem on our large cluster -- when we run 5500 jobs
of "seq 10" without this patch, our slurm process manager hangs. Just adding
this patch to glibc with no other changes, and 200 runs of the 5500 parallel
jobs of "seq 10" works OK.

Any chance this patch could be considered for a glibc release?

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[vincent dot arrat at infotel dot com]

------- Additional Comments From vincent dot arrat at infotel dot com  2008-12-05 14:20 -------
We also encounter this problem with the product we are providing.
I would want to know if this issue is now fixed.
And if yes, the glibc level in which the fix has been added.
We have customers using our product on Linux platforms with a glibc level
containing this issue.
Thank you very much.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[pasky at suse dot cz]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pasky at suse dot cz


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[schwab at linux-m68k dot org]

------- Additional Comments From schwab at linux-m68k dot org  2009-10-29 16:53 -------
*** Bug 10184 has been marked as a duplicate of this bug. ***

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |samandbernie at guarana dot
                   |                            |org


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[schwab at linux-m68k dot org]

------- Additional Comments From schwab at linux-m68k dot org  2009-10-29 16:55 -------
Created an attachment (id=4339)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4339&action=view)
Updated patch


-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #1330 is|0                           |1
           obsolete|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2009-10-30 08:01 -------
I've applied the patch.  I don't like it but it can be changed later.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=3270

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nptl/3270] Setuid implementation has races and lockups

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=3270

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/3270] Setuid implementation has races and lockups

[wade.colson at aol dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=3270

Wade Colson <wade.colson at aol dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wade.colson at aol dot com

--- Comment #8 from Wade Colson <wade.colson at aol dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/chat-with-strangers
Marked for reference. Resolved as fixed @bugzilla.

-- 
You are receiving this mail because:
You are on the CC list for the bug.