Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Mar 2020 20:47:29 -0400
From: Rich Felker <dalias@...c.org>
To: Pirmin Walthert <pirmin.walthert@...om.ch>, musl@...ts.openwall.com
Subject: Re: Re: FYI: some observations when testing next-gen malloc

On Tue, Mar 10, 2020 at 11:06:57AM +0100, Szabolcs Nagy wrote:
> * Pirmin Walthert <pirmin.walthert@...om.ch> [2020-03-10 10:44:46 +0100]:
> > Am 09.03.20 um 19:55 schrieb Szabolcs Nagy:
> > > * Pirmin Walthert <pirmin.walthert@...om.ch> [2020-03-09 19:14:59 +0100]:
> > > > Am 09.03.20 um 18:12 schrieb Rich Felker:
> > > > > It's not described very rigorously, but effectively it's in an async
> > > > > signal context and can only call functions which are AS-safe.
> > > > > 
> > > > > A future version of the standard is expected to drop the requirement
> > > > > that fork itself be async-signal-safe, and may thereby add
> > > > > requirements to synchronize against some or all internal locks so that
> > > > > the child can inherit a working context. But the right solution here is
> > > > > always to stop using fork without exec.
> > > > > 
> > > > > Rich
> > > > Well, I have now changed the code a bit to make sure that no
> > > > async-signal-unsafe command is being executed before execl. Things I've
> > > > removed:
> > > > 
> > > > a call to cap_from_text, cap_set_proc and cap_free has been removed as well
> > > > as sched_setscheduler. Now the only thing being executed before execl in the
> > > > child process is closefrom()
> > > 
> > > closefrom is not as-safe.
> > > 
> > > i think it reads /proc/self/fd directory to close fds.
> > > (haven't checked the specific asterisk version)
> > > opendir calls malloc so it can deadlock.
> > > 
> > Indeed I am not able to reproduce the problem any longer with a modified
> > version of asterisk. What I've changed is:
> > 
> > Removed some code that sets the capabilities after fork() (with
> > cap_from_text, cap_set_proc, cap_free) and closefrom replaced with a thumb
> > loop over all possible fds up to sysconf(_SC_OPEN_MAX). With this
> > modification the fd closing procedure with max open files set to 21471 now
> > needs 7ms instead of 70ns (so a slowdown by times 100), however this is not
> > critical in our environment...
> > 
> > Will discuss the findings with the asterisk developers.
> > 
> > Thanks for your hints!
> 
> good.
> 
> ideally they would use close-on-exec fds and then
> you don't need such ugliness.
> 
> please don't drop the list from replies.

While indeed the right thing is not to do is a closefrom/closeall hack
at all, if you really can't fix the fd leaks and need to, there is a
fast but safe version that doesn't require listing /proc/self/fd.
Instead, call poll() with a large array of pollfd with .events = 0 for
each element, and zero timeout, and check the .revents of each for
POLLNVAL. This will tell you with very few syscalls (probably just 1)
which file descriptors are open.

Rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.