lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110512173228.GO1030@htj.dyndns.org>
Date:	Thu, 12 May 2011 19:32:28 +0200
From:	Tejun Heo <tj@...nel.org>
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	jan.kratochvil@...hat.com, vda.linux@...glemail.com,
	linux-kernel@...r.kernel.org, torvalds@...ux-foundation.org,
	akpm@...ux-foundation.org, indan@....nu
Subject: Re: [PATCH 09/11] job control: reorganize wait_task_stopped()

Hello,

On Thu, May 12, 2011 at 07:25:06PM +0200, Oleg Nesterov wrote:
> > WNOHANG disables that mechanism.
> 
> Yes, this is clear. WNOHANG can "race" with the transitions above.
> But we do not care, this is like reading the word which can be
> changed by another thread, no?
> 
> But this bug is different. Say, the parent does wait(WNOWAIT) and
> gets CLD_STOPPED. After that it has all rights to assume that
> wait(WNOHANG) must report either STOPPED or CONTINUED.

They aren't that different.  Please consider the following program.

  #define PTRACE_SEIZE		0x4206
  #define PTRACE_INTERRUPT	0x4207

  #define PTRACE_SEIZE_DEVEL	0x80000000

  static const struct timespec ts1ms = { .tv_nsec = 1000000 };

  int main(int argc, char **argv)
  {
	  pid_t child, control;

	  child = fork();
	  if (!child)
		  while (1)
			  pause();

	  kill(child, SIGSTOP);
	  waitid(P_PID, child, NULL, WSTOPPED | WNOWAIT);

	  control = fork();
	  if (!control) {
		  while (1) {
			  kill(child, SIGCONT);
			  nanosleep(&ts1ms, NULL);
			  kill(child, SIGSTOP);
			  nanosleep(&ts1ms, NULL);
		  }
	  }

	  while (1) {
		  siginfo_t si = {};

		  waitid(P_PID, child, &si,
			 WSTOPPED | WCONTINUED | WNOWAIT | WNOHANG);
		  if (!si.si_pid)
			  break;
	  }

	  kill(control, SIGKILL);
	  kill(child, SIGKILL);
	  return 0;
  }

waitid(2) should always succeed as it's never consuming wait state,
but it does, with or without the patch.  All transitions need to be
made water tight to remove the bug.

Thanks.

-- 
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ