Description Mike Gilbert 2012-02-16 04:54:37 UTC

I ran into an odd issue building grub-9999 against libzfs (sys-fs/zfs). I've simplified the issue below.

Basically, if a function with a constructor attribute in a shared library violates the sandbox restrictions, we can end up triggering an infinite recursion scenario.

For example. take fictional library libfoo with constuctor libfoo_init:

1. libfoo_init() is called before libsb_init(), so sb_unwrapped_open still points to open. See note [1] below.
2. libfoo_init() calls mkdir("/foo")
3. mkdir is wrapped by mkdir_DEFAULT
4. before_syscall
5. check_syscall; access fails
6. write_logfile
7. sb_open("/var/log/sandbox/...")
8. open("/var/log/sandbox/...")
9. open is wrapped by open_DEFAULT
10. before_syscall
11. check_syscall; access fails
12. write_logfile
13. sb_open("/var/log/sandbox/...")
14. open("/var/log/sandbox/...")
15. open is wrapped by open_DEFAULT
16. Repeat 10-15 until we run out of stack and segfault.

When threads are involved (as in libzfs), we end up locking somewhere and the sandbox code basically deadlocks instead of recursing. I haven't debugged this to see what is happening there.

I think we could avoid this by calling libsb_init() from before_syscall() or check_syscall(). I tried inserting it at the top of before_syscall, and that seemed to work.

DISCLAIMER: I don't normally work with stuff this low-level, so I may not actually know what I'm talking about.

[1] Based on a quick google search, it seems the run order of constructors in different compilation units is undefined. So, libsb_init() is not guaranteed to run before libfoo_init().

http://sources.redhat.com/ml/libc-help/2009-06/msg00000.html