lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.20.1705302105190.2356@nanos>
Date:   Tue, 30 May 2017 21:35:33 +0200 (CEST)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
cc:     LKML <linux-kernel@...r.kernel.org>,
        Oleg Nesterov <oleg@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...nel.org>,
        Michael Kerrisk <mtk.manpages@...il.com>,
        linux-man@...r.kernel.org, libc-alpha <libc-alpha@...rceware.org>
Subject: Re: signals: Bug or manpage inconsistency?

On Tue, 30 May 2017, Linus Torvalds wrote:
> On Tue, May 30, 2017 at 6:21 AM, Thomas Gleixner <tglx@...utronix.de> wrote:
> >
> > Linus, any recollection?
> >
> > IMO, it's perfectly reasonable to discard ignored signals even when the
> > signal is in the blocked mask. When its unblocked and SIG_IGN is replaced
> > then the next signal will be delivered. But hell knows, how much user space
> > depends on this weird behaviour by now.
> 
> Is there any real reason you care? Because clearly we're doing what
> POSIX allows, and I'd be nervous about changing existing behavior.
> 
> There are various races wrt signals that happen particularly around
> fork/exec, and the way that programs handle those races is to block
> signals. I don't know that anybody cares about the exact semantics of
> this, but I could *imagine* that they do.
> 
> Our current behavior is actually very nice: blocking a signal
> basically guarantees that you're now "atomic" wrt that signal. You
> won't lose signaling events after the blocking, unless you explicitly
> throw them away.

Right, blocking signals which are not set to SIG_IGN makes perfectly sense. The
SIG_IGN case is what bothers me.

If you do

   ignore(sig);
			<- Signal discarded

   sigpending() -> empty

   block(sig);
			<- Signal queued

   sigpending() -> queued signal marked pending

   unblock(sig);
			<- Queued signal dequeued and discarded due to SIG_IGN

   sigpending() -> empty

> So I would suggest *not* changing the semantics unless you have a
> major real reason for wanting to do that.

The reason why I'm looking into that is the silly case with posix interval
timers dealing with ignored signals. We have to keep these timers self
rearming because nothing rearms them when SIG_IGN is lifted. That means
it's a nice way to keep the system busy and the process which armed the
timer is never waking up. We have a crude 'rate limit' of the interval to
one jiffie in place which prevents a unpriviledged DOS attack by arming the
timer with a very small interval. But that turns that mechanism into a
battery drain which is not obvious to figure out.

When I was working on a mitigation for that, which of course involves
fiddling with the signal code, I noticed that issue with sigpending() which
returns the blocked _and_ ignored signal as pending despite the man page
claiming otherwise. That made me look deeper and wonder about the rather
strange and inconsistent semantics of all of this.

Thanks,

	tglx


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ