[asterisk-bugs] [JIRA] (ASTERISK-28776) Non async-signal-safe syscalls used after fork before exec

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu May 28 07:27:28 CDT 2020


     [ https://issues.asterisk.org/jira/browse/ASTERISK-28776?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-28776:
-------------------------------------

    Target Release Version/s: 16.11.0

> Non async-signal-safe syscalls used after fork before exec
> ----------------------------------------------------------
>
>                 Key: ASTERISK-28776
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28776
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Applications/app_system
>    Affects Versions: 16.8.0
>         Environment: musl libc based linux
>            Reporter: nappsoft
>            Severity: Minor
>              Labels: patch
>      Target Release: 13.34.0, 16.11.0
>
>         Attachments: asterisk_asyncsafe2.patch
>
>
> When using System or TrySystem in a dialplan a Channel sometimes hangs forever and a forked process can be seen on the system which can only be killed with kill -9
> While I could already observe this in the past very very very rarely it is quite easy to reproduce with musl 1.2.0 and the next-gen malloc implementation.
> When describing this behavior on the musl mailinglist the musl devs pointed out, that this is expected behavior as obviously asterisk uses some non async-signal-safe syscalls after fork() before exec().
> While there seem to be more tolerant libc implementations it doesn't change the fact that asterisk doesn't behave Posix conform:
> Rich Felker cited the following: 
> See https://pubs.opengroup.org/onlinepubs/9699919799/functions/fork.html
>     - A process shall be created with a single thread. If a
>       multi-threaded process calls fork(), the new process shall
>       contain a replica of the calling thread and its entire address
>       space, possibly including the states of mutexes and other
>       resources. Consequently, to avoid errors, the child process may
>       only execute async-signal-safe operations until such time as one
>       of the exec functions is called.
> Indeed I was able to work around the issue by slightly changing the asterisk sources. While the attached patch fixes the issue and we can happily work with it (the mentioned issues with the patch do not matter at all in our environment), it is far from being production ready. It is only meant to give you a hint for which parts of the code should be revised!
> The problems with the attached patch:
> - it is slower (the closefrom() implementation is by far faster than the dump loop I've used to replace it => with max open files set to 22000 I meassured 7ms to complete the fd closing compared to 70ns with the closefrom() implementation)
> - it is less secure (as the cap_set_proc code has been removed after fork)
> - some logging needed to be removed (as I assumed that ast_log and ast_verb involve async-signal-unsafe operations)



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list