This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Avoid deadlock in malloc on backtrace
- From: Szabolcs Nagy <nsz at port70 dot net>
- To: Carlos O'Donell <carlos at redhat dot com>
- Cc: Siddhesh Poyarekar <siddhesh at redhat dot com>, libc-alpha at sourceware dot org
- Date: Fri, 27 Feb 2015 15:20:11 +0100
- Subject: Re: [PATCH] Avoid deadlock in malloc on backtrace
- Authentication-results: sourceware.org; auth=none
- References: <20150224100249 dot GA31871 at spoyarek dot pnq dot redhat dot com> <54EF9B9C dot 1080305 at redhat dot com>
* Carlos O'Donell <carlos@redhat.com> [2015-02-26 17:18:04 -0500]:
> (1) Delaying the abort is bad for security.
>
> Problem: The library should abort() immediately from a security perspective.
>
> Solution: Don't delay, call abort() immediately.
i think from security pov immediate crash (__builtin_trap) is the right solution
abort is complex (eg glibc tries to fflush stdio buffers)
> (2) Use a simpler backtrace.
> - Use a backtrace that doesn't require dlopen, or malloc.
>
> One doesn't exist, and would be hard to create, just look at the
> work it took to get the unwinder to the level that it is in gcc
> today.
dlopen("libgcc_s.so") is bad
when glibc and gcc are not the installed host tools it will use
the wrong library because nobody would expect the libc to open
shared objects of the compiler at runtime so that wont be in the
library path: eg. the testrun.sh in glibc does not expect it
> (5) Dynamically link with _Unwind_Backtrace to avoid dlopen's malloc.
> - Link dynamically with libgcc_s.so in order to have immediate access
> to the unwinder.
as far as i'm concerned libgcc_s should not exist:
such dependency between the c runtime and the compiler is bound to
break things
(i would be happy with a dummy backtrace)