[Bug nptl/14147] New: Async cancellation left active after longjmp out of signal handler

[Bug nptl/14147] New: Async cancellation left active after longjmp out of signal handler

[bugdal at aerifal dot cx]

http://sourceware.org/bugzilla/show_bug.cgi?id=14147

             Bug #: 14147
           Summary: Async cancellation left active after longjmp out of
                    signal handler
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nptl
        AssignedTo: unassigned@sourceware.org
        ReportedBy: bugdal@aerifal.cx
                CC: drepper.fsp@gmail.com
    Classification: Unclassified


If a signal handler interrupts a function which is async-signal-safe, it's
valid to exit the signal handler with longjmp. Suppose the interrupted function
is also a cancellation point. Due to NPTL's implementation of cancellation
points (switch to async cancellation mode, invoke the syscall, switch back),
the cancellation mode will get left as asynchronous, contrary to the
expectations of a conforming application, and subsequent code that is not
async-cancellation-safe will get run with async cancellation, possibly causing
severe memory corruption when a cancellation request arrives.

This bug is related to bug #12683 (also reported by me), but I'm reporting it
separately because it's not a rare race condition but breakage in a specific
usage case that will occur without any race.

Fixing all of these issues requires abandoning the naive approach of wrapping
syscalls in switches to/from async cancellation mode, and instead having the
cancellation signal handler check (via program counter comparison, either
directly or using whatever fancy DWARF stuff is popular) to determine whether
the interrupted thread was blocked at a cancellation point, and thus whether to
act on cancellation.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug nptl/14147] Async cancellation left active after longjmp out of signal handler

[carlos at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14147

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com
         Depends on|                            |12683

--- Comment #1 from Carlos O'Donell <carlos at redhat dot com> ---
I'm marking this as dependent on 12683 since a solution for 12683 should
consider this bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/14147] Async cancellation left active after longjmp out of signal handler

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14147

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.