glibc/stdlib
Adhemerval Zanella d40ac01cbb stdlib: Make abort/_Exit AS-safe (BZ 26275)
The recursive lock used on abort does not synchronize with a new process
creation (either by fork-like interfaces or posix_spawn ones), nor it
is reinitialized after fork().

Also, the SIGABRT unblock before raise() shows another race condition,
where a fork or posix_spawn() call by another thread, just after the
recursive lock release and before the SIGABRT signal, might create
programs with a non-expected signal mask.  With the default option
(without POSIX_SPAWN_SETSIGDEF), the process can see SIG_DFL for
SIGABRT, where it should be SIG_IGN.

To fix the AS-safe, raise() does not change the process signal mask,
and an AS-safe lock is used if a SIGABRT is installed or the process
is blocked or ignored.  With the signal mask change removal,
there is no need to use a recursive loc.  The lock is also taken on
both _Fork() and posix_spawn(), to avoid the spawn process to see the
abort handler as SIG_DFL.

A read-write lock is used to avoid serialize _Fork and posix_spawn
execution.  Both sigaction (SIGABRT) and abort() requires to lock
as writer (since both change the disposition).

The fallback is also simplified: there is no need to use a loop of
ABORT_INSTRUCTION after _exit() (if the syscall does not terminate the
process, the system is broken).

The proposed fix changes how setjmp works on a SIGABRT handler, where
glibc does not save the signal mask.  So usage like the below will now
always abort.

  static volatile int chk_fail_ok;
  static jmp_buf chk_fail_buf;

  static void
  handler (int sig)
  {
    if (chk_fail_ok)
      {
        chk_fail_ok = 0;
        longjmp (chk_fail_buf, 1);
      }
    else
      _exit (127);
  }
  [...]
  signal (SIGABRT, handler);
  [....]
  chk_fail_ok = 1;
  if (! setjmp (chk_fail_buf))
    {
      // Something that can calls abort, like a failed fortify function.
      chk_fail_ok = 0;
      printf ("FAIL\n");
    }

Such cases will need to use sigsetjmp instead.

The _dl_start_profile calls sigaction through _profil, and to avoid
pulling abort() on loader the call is replaced with __libc_sigaction.

Checked on x86_64-linux-gnu and aarch64-linux-gnu.

Reviewed-by: DJ Delorie <dj@redhat.com>
2024-10-08 14:40:12 -03:00
..
bits Fix name space violation in fortify wrappers (bug 32052) 2024-08-05 16:49:58 +02:00
sys
a64l.c
abort.c stdlib: Make abort/_Exit AS-safe (BZ 26275) 2024-10-08 14:40:12 -03:00
abs.c
add_n.c
addmul_1.c
alloca.h
arc4random_uniform.c
arc4random.c stdlib: fix arc4random fallback to /dev/urandom (BZ 31612) 2024-07-08 10:05:10 -03:00
at_quick_exit.c
atexit.c
atof.c
atoi.c
atol.c
atoll.c
bsearch.c
bug-fmtmsg1.c
bug-getcontext.c
bug-strtod2.c
bug-strtod.c
canonicalize.c
cmp.c
cxa_at_quick_exit.c
cxa_atexit.c
cxa_finalize.c stdlib: Describe __cxa_finalize usage in function comment 2024-06-03 19:04:58 +02:00
cxa_thread_atexit_impl.c
dbl2mpn.c
Depend
div.c
divmod_1.c
divrem.c
drand48_r.c
drand48-iter.c
drand48.c
erand48_r.c
erand48.c
errno.h
exit.c stdlib: Allow concurrent quick_exit (BZ 31997) 2024-08-05 17:07:57 -03:00
exit.h
fmtmsg.c
fmtmsg.h
fpioconst.c
fpioconst.h
gen-fpioconst.c
gen-tst-strtod-round.c More thoroughly test underflow / errno in tst-strtod-round 2024-08-27 12:38:01 +00:00
getcontext.c
getentropy.c
getenv.c
getrandom.c
getsubopt.c
gmp-impl.h
gmp.h
grouping.c
grouping.h
groupingwc.c
inlines.c
inttypes.h
isomac.c
jrand48_r.c
jrand48.c
l64a.c
labs.c
lcong48_r.c
lcong48.c
ldbl2mpn.c
ldiv.c
llabs.c
lldiv.c
longlong.h
lrand48_r.c
lrand48.c
lshift.c
makecontext.c
Makefile stdlib: Link tst-concurrent-quick_exit with $(shared-thread-library) 2024-08-06 14:01:27 -03:00
mblen.c
mbstowcs.c
mbtowc.c
mod_1.c
monetary.h
mp_clz_tab.c
mpn2dbl.c
mpn2flt.c
mpn2ldbl.c
mrand48_r.c
mrand48.c
mul_1.c
mul_n.c
mul.c
nrand48_r.c
nrand48.c
old_atexit.c
on_exit.c
putenv.c
qsort.c
quick_exit.c
rand_r.c
rand.c
random_r.c
random.c
rpmatch.c
rshift.c
secure-getenv.c
seed48_r.c
seed48.c
setcontext.c
setenv.c
srand48_r.c
srand48.c
stdbit.h
stdc_bit_ceil_uc.c
stdc_bit_ceil_ui.c
stdc_bit_ceil_ul.c
stdc_bit_ceil_ull.c
stdc_bit_ceil_us.c
stdc_bit_floor_uc.c
stdc_bit_floor_ui.c
stdc_bit_floor_ul.c
stdc_bit_floor_ull.c
stdc_bit_floor_us.c
stdc_bit_width_uc.c
stdc_bit_width_ui.c
stdc_bit_width_ul.c
stdc_bit_width_ull.c
stdc_bit_width_us.c
stdc_count_ones_uc.c
stdc_count_ones_ui.c
stdc_count_ones_ul.c
stdc_count_ones_ull.c
stdc_count_ones_us.c
stdc_count_zeros_uc.c
stdc_count_zeros_ui.c
stdc_count_zeros_ul.c
stdc_count_zeros_ull.c
stdc_count_zeros_us.c
stdc_first_leading_one_uc.c
stdc_first_leading_one_ui.c
stdc_first_leading_one_ul.c
stdc_first_leading_one_ull.c
stdc_first_leading_one_us.c
stdc_first_leading_zero_uc.c
stdc_first_leading_zero_ui.c
stdc_first_leading_zero_ul.c
stdc_first_leading_zero_ull.c
stdc_first_leading_zero_us.c
stdc_first_trailing_one_uc.c
stdc_first_trailing_one_ui.c
stdc_first_trailing_one_ul.c
stdc_first_trailing_one_ull.c
stdc_first_trailing_one_us.c
stdc_first_trailing_zero_uc.c
stdc_first_trailing_zero_ui.c
stdc_first_trailing_zero_ul.c
stdc_first_trailing_zero_ull.c
stdc_first_trailing_zero_us.c
stdc_has_single_bit_uc.c
stdc_has_single_bit_ui.c
stdc_has_single_bit_ul.c
stdc_has_single_bit_ull.c
stdc_has_single_bit_us.c
stdc_leading_ones_uc.c
stdc_leading_ones_ui.c
stdc_leading_ones_ul.c
stdc_leading_ones_ull.c
stdc_leading_ones_us.c
stdc_leading_zeros_uc.c
stdc_leading_zeros_ui.c
stdc_leading_zeros_ul.c
stdc_leading_zeros_ull.c
stdc_leading_zeros_us.c
stdc_trailing_ones_uc.c
stdc_trailing_ones_ui.c
stdc_trailing_ones_ul.c
stdc_trailing_ones_ull.c
stdc_trailing_ones_us.c
stdc_trailing_zeros_uc.c
stdc_trailing_zeros_ui.c
stdc_trailing_zeros_ul.c
stdc_trailing_zeros_ull.c
stdc_trailing_zeros_us.c
stdint.h
stdlib.h stdlib: Mark abort as cold 2024-07-31 14:26:00 +08:00
strfmon_l.c
strfmon.c
strfrom-skeleton.c
strfromd.c
strfromf.c
strfroml.c
strtod_l.c Fix strtod subnormal rounding (bug 30220) 2024-08-27 12:41:02 +00:00
strtod_nan_main.c Do not set errno for overflowing NaN payload in strtod/nan (bug 32045) 2024-09-04 13:21:23 +00:00
strtod_nan_narrow.h
strtod_nan_wide.h
strtod_nan.c
strtod.c
strtof_l.c
strtof_nan.c
strtof.c
strtol_l.c
strtol.c
strtold_l.c
strtold_nan.c
strtold.c
strtoll_l.c
strtoll.c
strtoul_l.c
strtoul.c
strtoull_l.c
strtoull.c
sub_n.c
submul_1.c
swapcontext.c
system.c
tens_in_limb.c
test-a64l.c
test-at_quick_exit-race.c
test-atexit-race-common.c
test-atexit-race.c
test-atexit-recursive.c
test-bz22786.c
test-canon2.c
test-canon.c
test-cxa_atexit-race2.c
test-cxa_atexit-race.c
test-dlclose-exit-race-helper.c
test-dlclose-exit-race.c
test-on_exit-race.c
testdiv.c
testdiv.input
testmb2.c
testmb.c
testrand.c
testsort.c
tst-abs.c
tst-arc4random-fork.c
tst-arc4random-stats.c
tst-arc4random-thread.c
tst-at_quick_exit.c
tst-atexit-common.c
tst-atexit.c
tst-atof1.c
tst-atof2.c
tst-bsearch.c
tst-bz20544.c
tst-canon-bz26341.c
tst-concurrent-exit-skeleton.c stdlib: Allow concurrent quick_exit (BZ 31997) 2024-08-05 17:07:57 -03:00
tst-concurrent-exit.c stdlib: Allow concurrent quick_exit (BZ 31997) 2024-08-05 17:07:57 -03:00
tst-concurrent-quick_exit.c stdlib: Allow concurrent quick_exit (BZ 31997) 2024-08-05 17:07:57 -03:00
tst-cxa_atexit.c
tst-empty-env.c
tst-environ.c
tst-fmtmsg.c
tst-fmtmsg.sh
tst-getrandom.c
tst-labs.c
tst-limits.c
tst-llabs.c
tst-makecontext2.c stdlib: Fix tst-makecontext2 log when swapcontext fails 2024-03-23 08:36:28 +00:00
tst-makecontext3.c
tst-makecontext-align.c
tst-makecontext.c
tst-on_exit.c
tst-putenv.c
tst-putenvmod.c
tst-qsort2.c
tst-qsort3.c
tst-qsort4.c
tst-qsort6.c
tst-qsort.c
tst-quick_exit.cc
tst-rand48-2.c
tst-rand48.c
tst-random2.c
tst-random.c
tst-realpath-toolong.c
tst-realpath.c
tst-secure-getenv.c
tst-setcontext2.c
tst-setcontext3.c
tst-setcontext3.sh
tst-setcontext4.c
tst-setcontext5.c
tst-setcontext6.c
tst-setcontext7.c
tst-setcontext8.c
tst-setcontext9.c
tst-setcontext10.c
tst-setcontext11.c
tst-setcontext.c
tst-stdbit-builtins.c
tst-stdbit-Wconversion.c
tst-stdbit.h
tst-stdc_bit_ceil.c
tst-stdc_bit_floor.c
tst-stdc_bit_width.c
tst-stdc_count_ones.c
tst-stdc_count_zeros.c
tst-stdc_first_leading_one.c
tst-stdc_first_leading_zero.c
tst-stdc_first_trailing_one.c
tst-stdc_first_trailing_zero.c
tst-stdc_has_single_bit.c
tst-stdc_leading_ones.c
tst-stdc_leading_zeros.c
tst-stdc_trailing_ones.c
tst-stdc_trailing_zeros.c
tst-strfmon_l.c
tst-strfrom-locale.c
tst-strfrom.c
tst-strfrom.h
tst-strtod1i.c Make __strtod_internal tests type-generic 2024-08-27 20:41:54 +00:00
tst-strtod2.c Add tests of more strtod special cases 2024-09-20 23:24:45 +00:00
tst-strtod3.c Make __strtod_internal tests type-generic 2024-08-27 20:41:54 +00:00
tst-strtod4.c Make __strtod_internal tests type-generic 2024-08-27 20:41:54 +00:00
tst-strtod5.c Make tst-strtod2 and tst-strtod5 type-generic 2024-09-20 23:23:13 +00:00
tst-strtod5i.c Make __strtod_internal tests type-generic 2024-08-27 20:41:54 +00:00
tst-strtod6.c
tst-strtod-nan-locale-main.c
tst-strtod-nan-locale.c
tst-strtod-nan-sign-main.c
tst-strtod-nan-sign.c
tst-strtod-overflow.c
tst-strtod-round-data Fix strtod subnormal rounding (bug 30220) 2024-08-27 12:41:02 +00:00
tst-strtod-round-data.h Fix strtod subnormal rounding (bug 30220) 2024-08-27 12:41:02 +00:00
tst-strtod-round-skeleton.c More thoroughly test underflow / errno in tst-strtod-round 2024-08-27 12:38:01 +00:00
tst-strtod-round.c
tst-strtod-underflow.c Make tst-strtod-underflow type-generic 2024-09-20 23:25:32 +00:00
tst-strtod.c
tst-strtod.h
tst-strtol-binary-c11.c
tst-strtol-binary-c23.c
tst-strtol-binary-gnu11.c
tst-strtol-binary-gnu23.c
tst-strtol-binary-main.c
tst-strtol-locale-main.c
tst-strtol-locale.c
tst-strtol.c
tst-strtoll.c
tst-swapcontext1.c
tst-swapcontext2.c Fix usage of _STACK_GROWS_DOWN and _STACK_GROWS_UP defines [BZ 31989] 2024-07-19 10:10:17 -04:00
tst-system.c support: Use macros for *stat wrappers 2024-08-16 16:05:20 +02:00
tst-thread-quick_exit.cc
tst-tininess.c
tst-tls-atexit-lib.c
tst-tls-atexit-nodelete.c
tst-tls-atexit.c
tst-unsetenv1.c
tst-width-stdint.c
tst-width.c
tst-xpg-basename.c
ucontext.h
udiv_qrnnd.c
Versions
wcstombs.c
wctomb.c
xpg_basename.c