David Smith wrote:
Martin Hunt wrote:
On Mon, 2007-06-18 at 14:44 -0500, David Smith wrote:
Pavel Kankovsky wrote:
On Mon, 11 Jun 2007, David Smith wrote:
BTW2: Let's suppose start_cmd() creates a process running under an
unprivileged user. I think it can be killed (by the unprivileged
user) before it gets SIGUSR1 and the system might recycle its pid.
Therefore
kill() in STP_START branch of stp_main_loop() is unsafe.
Hmm. Got any ideas on how to fix this?
So, while the module loads its probes, we kill the start_cmd() process
and create enough new processes to recycle the pid? Then staprun sends
either SIGKILL or SIGUSR1 to the wrong process? Theoretically, if we set
tens of thousands of probes, we would have a few milliseconds to do
this.
I do agree it isn't a likely occurrence, but if it is possible to fix we
ought to look at it.
This should be manageable. When a child process exits, it sends a
SIGCHLD and sits as a zombie until the parent has wait()ed for it. As
long as it's a zombie, the pid won't be recycled.
We just need to notice in our sig handler that the start_cmd process
died, and make sure we don't try to kill the pid after that.
Josh
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
