Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Sep 2019 19:39:28 +0200
From: Markus Wichmann <>
Subject: Re: Hangup calling setuid() from vfork() child

On Mon, Sep 30, 2019 at 08:29:16AM -0700, Joshua Hudson wrote:
> If there is more than one thread and vfork() calls setuid(), musl libc hangs up.
> void *thfunction(void*ig) {sleep(1000);returnNULL;}
> int main()
> {
>     pthread_t id;
>     pthread_create(&id, NULL, thfunction, NULL);
>     if (vfork() == 0) {
>         setuid(0); /* hangup */
>         _exit(0);
>     }
> }

That is an interesting interaction between threads and vfork().

The child process has only one thread, but it doesn't know that. It also
can't write it down, since it is sharing memory with the parent (it
would overwrite the parent's variables).

POSIX no longer defines vfork(), and therefore does not define any
safety attributes for it. Is it reasonable to define vfork() as unusable
in a multithreaded process? Calling something as intricate as
__synccall() in a vfork() child is going to corrupt memory on a large

posix_spawn() circumvents the problem by calling the system calls
directly, BTW.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.