Re: Saving errno around signal handlers

[Florian Weimer <fweimer at redhat dot com>]

On 03/01/2014 01:30 AM, Rich Felker wrote:
> On Fri, Feb 28, 2014 at 12:49:45PM +0100, Florian Weimer wrote:
> > POSIX has green-lighted saving errno around signal handlers.  So the
> > question now is how we implement that.
> >
> > * glibc-only solution
> >
> > We need to wrap the signal handler with a function that calls the
> > actual handler, saving and restoring errno around it.  We do not
> > have a place to store the real handler address, so we need to use
> > separate trampolines, either generated dynamically or a from a
> > static, pre-allocated pool.  There are only a few signal handlers,
> > so a static set of trampolines would work if we deallocate
> > trampolines.
>
> This is nonsense. You only need one "trampoline". The signal number is
> the first argument to the signal handler, so it (the one trampoline)
> can simply lookup the real signal handler to run in a static array of
> function pointers based on its first argument.

Sorry, I forgot that this is intended to avoid the need for masking the 
signal while installing the signal handler.  Changing the handler 
address, flags and mask must happen in an atomic operation, otherwise 
the handler might be called with the wrong flags or mask.

> Of course I don't see why you even want to do this. The direction
> POSIX is taking is to require applications to save and restore errno
> if they might clobber it in the signal handler. There is no reason to
> introduce lots of complexity, overhead, and runtime latency to signal
> handling in glibc to accommodate programs which do not follow this
> requirement.

Saving and restoring errno has always been allowed by POSIX, yet 
extremely few applications do it in signal handlers where this is 
required for correctness.  It is easier to fix this in glibc (even if we 
have to jump through a few hoops to do this), than to patch most of the 
signal handlers out there.

--
Florian Weimer / Red Hat Product Security Team