[libcxx-commits] [PATCH] D123428: [libunwind] Add configuration to disable sigreturn frame check

Ryan Prichard via Phabricator via libcxx-commits libcxx-commits at lists.llvm.org
Tue Apr 26 20:58:51 PDT 2022

rprichard added a comment.

In D123428#3475346 <https://reviews.llvm.org/D123428#3475346>, @smeenai wrote:

> In D123428#3444212 <https://reviews.llvm.org/D123428#3444212>, @MaskRay wrote:
>> https://github.com/abseil/abseil-cpp/blob/master/absl/debugging/internal/address_is_readable.cc has gone through several iterations. We can use `rt_sigprocmask`.
> @rprichard, do you know if this would work for Android? It has the TOCTOU issue, but I imagine it's much simpler than having to manage and synchronize the pipe fd, and we could live with the TOCTOU in practice.

I'm glad @MaskRay found this -- I think it will probably work, and it seems better than assuming the PC is readable.

I see rt_procsigmask listed in bionic/libc/SYSCALLS.TXT, and I don't see it mentioned in any of the bionic/libc/SECCOMP*.txt files. I think that means seccomp is allowing the system call. I looked at kernel/signal.c, and AFAICT it's not doing any security checks that could be a problem. Bionic itself uses `rt_sigprocmask` for (at least) spawning new processes, creating/exiting threads, TLS-related locking, POSIX timers, and abort(). I think any seccomp-like blocking of rt_sigprocmask would have to be very targeted, so I think the syscall is probably allowed everywhere on Android.

It is assuming that the kernel will validate the address before validating the `how`. The kernel has a principle of not breaking userland -- is there a more specific guarantee we can rely on? e.g. The code has this comment:

  // This strategy depends on Linux implementation details,
  // so we rely on the test to alert us if it stops working.

The kernel source is structured as two wrappers around sigprocmask, `SYSCALL_DEFINE4(rt_sigprocmask, ...)` and `COMPAT_SYSCALL_DEFINE4(rt_sigprocmask, ...)`. The wrappers copy user memory to/from kernel memory before calling `sigprocmask`, so it makes sense that they would validate the address first.

  rG LLVM Github Monorepo



More information about the libcxx-commits mailing list