9:25 p.m.
Libvirtd has set SIGPIPE to ignored, and virFork resets all signal
handlers to the defaults. But child process may write logs to
stderr/stdout, that may generate SIGPIPE if journald has stopped.
So block SIGPIPE in virFork, and unblock it before execve.
Signed-off-by: Wang Yechao <wang.yechao255(a)zte.com.cn>
---
v1 patch:
https://www.redhat.com/archives/libvir-list/2019-October/msg00720.html
Changes in v2:
- use pthread_sigmask to block SIGPIPE
Changes in v3:
- pass SIG_UNBLOCK(not SIG_SETMASK) to pthread_sigmask when unlock SIGPIPE
---
src/util/vircommand.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index 79e1e87..bd3a582 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -321,6 +321,15 @@ virFork(void)
virDispatchError(NULL);
_exit(EXIT_CANCELED);
}
+
+ sigemptyset(&newmask);
+ sigaddset(&newmask, SIGPIPE);
+ if (pthread_sigmask(SIG_BLOCK, &newmask, NULL) != 0) {
+ virReportSystemError(errno, "%s", _("cannot block
SIGPIPE"));
+ virDispatchError(NULL);
+ _exit(EXIT_CANCELED);
+ }
+
}
return pid;
}
@@ -553,6 +562,7 @@ virExec(virCommandPtr cmd)
struct sigaction waxon, waxoff;
VIR_AUTOFREE(gid_t *) groups = NULL;
int ngroups;
+ sigset_t set;
if (cmd->args[0][0] != '/') {
if (!(binary = binarystr = virFindFileInPath(cmd->args[0]))) {
@@ -792,6 +802,13 @@ virExec(virCommandPtr cmd)
/* Close logging again to ensure no FDs leak to child */
virLogReset();
+ sigemptyset(&set);
+ sigaddset(&set, SIGPIPE);
+ if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
+ virReportSystemError(errno, "%s", _("cannot unblock
SIGPIPE"));
+ goto fork_error;
+ }
+
if (cmd->env)
execve(binary, cmd->args, cmd->env);
else
--
1.8.3.1
9:43 p.m.
On 10/15/19 9:25 PM, Wang Yechao wrote:
Libvirtd has set SIGPIPE to ignored, and virFork resets all signal
handlers to the defaults. But child process may write logs to
stderr/stdout, that may generate SIGPIPE if journald has stopped.
So block SIGPIPE in virFork, and unblock it before execve.
How does that help? If writing to stderr hits EOF, it will queue up a
SIGPIPE to be delivered as soon as you unblock SIGPIPE.
The correct fix is to not unblock SIGPIPE until after any point at which
you would be performing I/O that must not fail due to SIGPIPE, rather
than messing with signal masks to just delay when SIGPIPE is delivered.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
9:59 p.m.
On 10/15/19 9:43 PM, Eric Blake wrote:
On 10/15/19 9:25 PM, Wang Yechao wrote:
> Libvirtd has set SIGPIPE to ignored, and virFork resets all signal
> handlers to the defaults. But child process may write logs to
> stderr/stdout, that may generate SIGPIPE if journald has stopped.
>
> So block SIGPIPE in virFork, and unblock it before execve.
How does that help? If writing to stderr hits EOF, it will queue up a
SIGPIPE to be delivered as soon as you unblock SIGPIPE.
The correct fix is to not unblock SIGPIPE until after any point at which
you would be performing I/O that must not fail due to SIGPIPE, rather
than messing with signal masks to just delay when SIGPIPE is delivered.
Let's word this better:
The correct fix is to keep SIGPIPE ignored until after any point at
which you would be performing I/O that must not cause SIGPIPE, reverting
SIGPIPE back to SIG_DFL at the last possible moment. Messing with
signal masks merely delays when SIGPIPE is delivered, rather than
avoiding it.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
4:02 a.m.
On Tue, Oct 15, 2019 at 09:59:46PM -0500, Eric Blake wrote:
On 10/15/19 9:43 PM, Eric Blake wrote:
> On 10/15/19 9:25 PM, Wang Yechao wrote:
> > Libvirtd has set SIGPIPE to ignored, and virFork resets all signal
> > handlers to the defaults. But child process may write logs to
> > stderr/stdout, that may generate SIGPIPE if journald has stopped.
> >
> > So block SIGPIPE in virFork, and unblock it before execve.
>
> How does that help? If writing to stderr hits EOF, it will queue up a
> SIGPIPE to be delivered as soon as you unblock SIGPIPE.
>
> The correct fix is to not unblock SIGPIPE until after any point at which
> you would be performing I/O that must not fail due to SIGPIPE, rather
> than messing with signal masks to just delay when SIGPIPE is delivered.
Let's word this better:
The correct fix is to keep SIGPIPE ignored until after any point at which
you would be performing I/O that must not cause SIGPIPE, reverting SIGPIPE
back to SIG_DFL at the last possible moment. Messing with signal masks
merely delays when SIGPIPE is delivered, rather than avoiding it.
The challenge here is that we're in between fork + execve and want signal
handlers back to their defaults at time of execve.
If we set SIGPIPE to SIG_IGN and then execve() will that get reset back
to SIG_DFL automatically ?
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
6:50 a.m.
On 10/16/19 4:02 AM, Daniel P. Berrangé wrote:
The challenge here is that we're in between fork + execve and want signal
handlers back to their defaults at time of execve.
If we set SIGPIPE to SIG_IGN and then execve() will that get reset back
to SIG_DFL automatically ?
Sadly, no. execve() does not change whether a signal is ignored or
masked (ignored is more common - a number of CI systems have had issues
where the child inherits SIGPIPE ignored because the parent forgot to
reset it, but the child wasn't expecting it; but inheriting a signal
masked is also a real issue), with the lone exception of SIGCHLD.
However, execve() _does_ change a signal that is being caught in the
parent into SIG_DFL post-exec.
That does mean, however, that it is viable to install a no-op SIGPIPE
handler (SIGPIPE is generated but ignored, I/O gets the EPIPE as
desired), then post-exec the new process will have SIG_DFL.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
9:04 a.m.
On Wed, Oct 16, 2019 at 06:50:33AM -0500, Eric Blake wrote:
On 10/16/19 4:02 AM, Daniel P. Berrangé wrote:
>
> The challenge here is that we're in between fork + execve and want signal
> handlers back to their defaults at time of execve.
>
> If we set SIGPIPE to SIG_IGN and then execve() will that get reset back
> to SIG_DFL automatically ?
Sadly, no. execve() does not change whether a signal is ignored or masked
(ignored is more common - a number of CI systems have had issues where the
child inherits SIGPIPE ignored because the parent forgot to reset it, but
the child wasn't expecting it; but inheriting a signal masked is also a real
issue), with the lone exception of SIGCHLD. However, execve() _does_ change
a signal that is being caught in the parent into SIG_DFL post-exec.
That does mean, however, that it is viable to install a no-op SIGPIPE
handler (SIGPIPE is generated but ignored, I/O gets the EPIPE as desired),
then post-exec the new process will have SIG_DFL.
Yeah, that's workable.
So we need virFork() to install a dummy SIGPIPE handler function that
is a no-op, *before* it unmasks signals.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
9:33 a.m.
On 10/16/19 9:04 AM, Daniel P. Berrangé wrote:
On Wed, Oct 16, 2019 at 06:50:33AM -0500, Eric Blake wrote:
> On 10/16/19 4:02 AM, Daniel P. Berrangé wrote:
>
>>
>> The challenge here is that we're in between fork + execve and want signal
>> handlers back to their defaults at time of execve.
>>
>> If we set SIGPIPE to SIG_IGN and then execve() will that get reset back
>> to SIG_DFL automatically ?
>
> Sadly, no. execve() does not change whether a signal is ignored or masked
> (ignored is more common - a number of CI systems have had issues where the
> child inherits SIGPIPE ignored because the parent forgot to reset it, but
> the child wasn't expecting it; but inheriting a signal masked is also a real
> issue), with the lone exception of SIGCHLD. However, execve() _does_ change
> a signal that is being caught in the parent into SIG_DFL post-exec.
>
> That does mean, however, that it is viable to install a no-op SIGPIPE
> handler (SIGPIPE is generated but ignored, I/O gets the EPIPE as desired),
> then post-exec the new process will have SIG_DFL.
Yeah, that's workable.
So we need virFork() to install a dummy SIGPIPE handler function that
is a no-op, *before* it unmasks signals.
Why mask signals at all? You either mask the signal before I/O, install
the dummy handler, then unmask (and any intermediate SIGPIPE is now
ignored by no-op), or you can merely install the dummy handler before
I/O (any SIGPIPE is ignored by no-op). That is, by the time you
identify a a safe place to install a mask (ie. no I/O between fork() and
that point, but where there will be potential I/O between that point and
exec), with plans to release it later, that same place is just as good
for changing from SIG_IGN to a no-op handler without messing with masks.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
9:44 a.m.
On Wed, Oct 16, 2019 at 09:33:59AM -0500, Eric Blake wrote:
On 10/16/19 9:04 AM, Daniel P. Berrangé wrote:
> On Wed, Oct 16, 2019 at 06:50:33AM -0500, Eric Blake wrote:
> > On 10/16/19 4:02 AM, Daniel P. Berrangé wrote:
> >
> > >
> > > The challenge here is that we're in between fork + execve and want
signal
> > > handlers back to their defaults at time of execve.
> > >
> > > If we set SIGPIPE to SIG_IGN and then execve() will that get reset back
> > > to SIG_DFL automatically ?
> >
> > Sadly, no. execve() does not change whether a signal is ignored or masked
> > (ignored is more common - a number of CI systems have had issues where the
> > child inherits SIGPIPE ignored because the parent forgot to reset it, but
> > the child wasn't expecting it; but inheriting a signal masked is also a
real
> > issue), with the lone exception of SIGCHLD. However, execve() _does_ change
> > a signal that is being caught in the parent into SIG_DFL post-exec.
> >
> > That does mean, however, that it is viable to install a no-op SIGPIPE
> > handler (SIGPIPE is generated but ignored, I/O gets the EPIPE as desired),
> > then post-exec the new process will have SIG_DFL.
>
> Yeah, that's workable.
>
> So we need virFork() to install a dummy SIGPIPE handler function that
> is a no-op, *before* it unmasks signals.
Why mask signals at all? You either mask the signal before I/O, install the
dummy handler, then unmask (and any intermediate SIGPIPE is now ignored by
no-op), or you can merely install the dummy handler before I/O (any SIGPIPE
is ignored by no-op). That is, by the time you identify a a safe place to
install a mask (ie. no I/O between fork() and that point, but where there
will be potential I/O between that point and exec), with plans to release it
later, that same place is just as good for changing from SIG_IGN to a no-op
handler without messing with masks.
The fork'd child process inherits all signal handlers from the parent.
These handlers may no longer be valid since we are mass-closing all
file descriptors. We thus need to kill off all the signal handlers
in the forkd child.
There's a window between fork & sigaction where signals can still
get delivered to the child & run the undesirable handlers. So we must
mask all signals immediately before fork, only unmasking them after
we have set all signal handlers back to their defaults.
We just need to set SIGPIPE to a dummy no-op handler before this
unmask
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
6:53 p.m.
New subject: [libvirt] [PATCH v3] util: Block SIGPIPE until execve in childprocess
The fork'd child process inherits all signal handlers from the
parent.
These handlers may no longer be valid since we are mass-closing all
file descriptors. We thus need to kill off all the signal handlers
in the forkd child.
There's a window between fork & sigaction where signals can still
get delivered to the child & run the undesirable handlers. So we must
mask all signals immediately before fork, only unmasking them after
we have set all signal handlers back to their defaults.
We just need to set SIGPIPE to a dummy no-op handler before this
unmask
If do that, i think the SIGPIPE ignored code before running hooks in virExec()
can be removed.
---
Best wishes
Wang Yechao
1863
days inactive
1864
days old
8 comments
4 participants
participants (4)
-
Daniel P. Berrangé -
Eric Blake -
Wang Yechao -
wang.yechao255@zte.com.cn