Re: [PATCH] ptrace RSE bug

public inbox for linux-ia64@vger.kernel.org
 help / color / mirror / Atom feed

From: Petr Tesarik <ptesarik@suse.cz>
To: linux-ia64@vger.kernel.org
Subject: Re: [PATCH] ptrace RSE bug
Date: Fri, 16 Nov 2007 20:05:35 +0000	[thread overview]
Message-ID: <473DF80F.6020705@suse.cz> (raw)
In-Reply-To: <1188357710.22637.7.camel@sli10-conroe.sh.intel.com>

Roland McGrath wrote:
>> I found it extremely difficult to trigger the race condition without the
>> articifial test - arch_ptrace_stop() only sleeps if the user page is not
>> present, but in the common case the register stack backing store will
>> have been quite recently accessed by the process.
> 
> It is supposed to be a rare race, after all. :-)  We're just being thorough
> to cover it, not that it ever actually happened in practice or was expected to.
> 
>> It should be possible to create a large file, flush the page cache, put
>> the RSE into lazy mode, flush it and map the register stack from that
>> file, so that no memory accesses to the backing store are done before
>> ptrace_stop(), but for the time being I placed an msleep(100) after
>> arch_ptrace_stop().
> 
> And then make the file so mapped be from a broken NFS or FUSE or somesuch
> mount that actually blocks forever on the fault.  That would be the
> probable style of a DoS attack exploiting this to create unkillable processes.
> 
>> Anyway, I produced a test case which succeeds when the call to
>> sigkill_pending() is in and fails when it's commented out. I'm attaching
>> it here (the kernel patch to follow).
> 
> Ok!  It sounds like we've verified all the pieces of the fix.
> 
> There's one more wrinkle that I've remembered.  A traced process has not
> necessarily gone through ptrace_stop when you do ptrace on it, though
> normally so.  It can be in job control stop (TASK_STOPPED), such as when
> you attach gdb to something stopped by ^Z.  To cover that case, the easiest

Interesting. I've just tried attaching to a stopped process and gdb
hangs on wait4(). When I resume the process, gdb complains like this:

/build/buildd/gdb-6.4.90.dfsg/gdb/linux-nat.c:1025: internal-error:
linux_nat_attach: Assertion `pid = GET_PID (inferior_ptid) &&
WIFSTOPPED (status) && WSTOPSIG (status) = SIGSTOP' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n)

So, it seems to me that attaching to stopped processes is broken anyway,
because debugger expect to get a notification signal when they do
PTRACE_ATTACH. Shouldn't the kernel generate one? (Which would BTW also
make the special handling of ptrace_attach for our purposes unnecessary.)

Regards,
Petr Tesarik

next prev parent reply	other threads:[~2007-11-16 20:05 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-29  3:21 [PATCH] ptrace RSE bug Shaohua Li
2007-08-29  7:10 ` Roland McGrath
2007-08-29  7:29 ` Matthew Chapman
2007-08-29  8:01 ` Roland McGrath
2007-09-05 16:25 ` Petr Tesarik
2007-09-06  3:16 ` Shaohua Li
2007-09-06 13:59 ` Petr Tesarik
2007-09-07  1:02 ` Shaohua Li
2007-09-07  8:26 ` Petr Tesarik
2007-09-07 15:11 ` David Mosberger-Tang
2007-09-11  8:39 ` Shaohua Li
2007-10-17 14:56 ` Petr Tesarik
2007-10-17 19:48 ` Petr Tesarik
2007-10-17 19:55 ` Petr Tesarik
2007-10-18  1:54 ` Shaohua Li
2007-10-18 10:59 ` Petr Tesarik
2007-10-18 16:02 ` Christoph Hellwig
2007-10-19  7:30 ` Shaohua Li
2007-10-19 19:42 ` Petr Tesarik
2007-10-24  3:34 ` Shaohua Li
2007-10-24 23:38 ` Luck, Tony
2007-10-25  0:38 ` Shaohua Li
2007-11-12  2:14 ` Roland McGrath
2007-11-12 15:41 ` Petr Tesarik
2007-11-12 16:11 ` Petr Tesarik
2007-11-13  0:30 ` Roland McGrath
2007-11-13 11:07 ` Petr Tesarik
2007-11-14  5:38 ` Shaohua Li
2007-11-14  6:47 ` Roland McGrath
2007-11-14  7:37 ` Petr Tesarik
2007-11-14  7:40 ` Roland McGrath
2007-11-14  7:53 ` Petr Tesarik
2007-11-14  7:55 ` Petr Tesarik
2007-11-14 11:09 ` Roland McGrath
2007-11-16 20:05 ` Petr Tesarik [this message]
2007-11-18  3:08 ` Roland McGrath

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=473DF80F.6020705@suse.cz \
    --to=ptesarik@suse.cz \
    --cc=linux-ia64@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox