[Bug nptl/28361] New: Fix for bug 12889 causes setxid deadlock

[Bug nptl/28361] New: Fix for bug 12889 causes setxid deadlock

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28361

            Bug ID: 28361
           Summary: Fix for bug 12889 causes setxid deadlock
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: critical
          Priority: P2
         Component: nptl
          Assignee: fweimer at redhat dot com
          Reporter: fweimer at redhat dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

We have a test case for downstream bug
https://bugzilla.redhat.com/show_bug.cgi?id=522528 that apparently was never
upstreamed (and it doesn't even have to be an xtest).

After the fix for bug 12889, this test case deadlocks because the setxid
machinery waits for a response to a signal that never arrives.

#include <pthread.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

#define LOOPS   1000

uid_t   uid;

void *subthread(void *dummy)
{
        setuid(uid);
}

int main(void)
{
        pthread_t tid[LOOPS];
        int     i, ret;

        uid = getuid();

        for(i=0; i < LOOPS; i++) {
                ret = pthread_create(&tid[i], NULL, &subthread, NULL);
                if(ret != 0) {
                        perror("pthread_create");
                        return 1;
                }
        }
        for(i=0; i < LOOPS; i++) {
                ret = pthread_join(tid[i], NULL);
                if(ret != 0) {
                        perror("pthread_join");
                }
        }
        return 0;
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/28361] Fix for bug 12889 causes setxid deadlock

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28361

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
             Status|NEW                         |ASSIGNED

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
I'm testing a fix.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/28361] Fix for bug 12889 causes setxid deadlock

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28361

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.redhat.com
                   |                            |/show_bug.cgi?id=522528

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/28361] Fix for bug 12889 causes setxid deadlock

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28361

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Patch posted:
https://sourceware.org/pipermail/libc-alpha/2021-September/131232.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/28361] Fix for bug 12889 causes setxid deadlock

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28361

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED
   Target Milestone|---                         |2.35

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.35 via:

commit 2849e2f53311b66853cb5159b64cba2bddbfb854
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Sep 23 09:55:54 2021 +0200

    nptl: Avoid setxid deadlock with blocked signals in thread exit [BZ #28361]

    As part of the fix for bug 12889, signals are blocked during
    thread exit, so that application code cannot run on the thread that
    is about to exit.  This would cause problems if the application
    expected signals to be delivered after the signal handler revealed
    the thread to still exist, despite pthread_kill can no longer be used
    to send signals to it.  However, glibc internally uses the SIGSETXID
    signal in a way that is incompatible with signal blocking, due to the
    way the setxid handshake delays thread exit until the setxid operation
    has completed.  With a blocked SIGSETXID, the handshake can never
    complete, causing a deadlock.

    As a band-aid, restore the previous handshake protocol by not blocking
    SIGSETXID during thread exit.

    The new test sysdeps/pthread/tst-pthread-setuid-loop.c is based on
    a downstream test by Martin Osvald.

    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
    Tested-by: Carlos O'Donell <carlos@redhat.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.