Interesting, a mysterious bug report I've been struggling to track down just got solved. It turns out, 32-bit getcontext() can return failure if run inside a docker container. Apparently the cause is the default docker seccomp policy doesn't allow sigprocmask() (wtf?). 
-
-
Have you traced the syscall to see if it is failing or if libc is discarding the error? The default profile *should* return EPERM for anything blocked. rt_sigprocmask is allowed but it looks like sigprocmask is still defined on 32bit and not...
-
sigprocmask is an operation where there's likely to be no possibility of forward progress if it fails (assuming valid usage), so it doesn't make sense for libc or anything else to be checking for error. However..
- 8 more replies
New conversation -
-
-
sigprocmask() silently failing?
That should *definitely* be a CVE, and make a whole damn lot of noise. -
I don't really blame Docker though. The blame should be mostly on Linux for making an interface where it's easy to do the wrong thing, and framed as security hardening.
- 4 more replies
New conversation -
-
-
Failure of getcontext is small bug here, altho very dangerous too. The big story is silent omission of what's essentially a "lock" operation (blocking signals for a critical section).
-
This Tweet is unavailable.
New conversation -
-
-
Docs? We don't need docs where we're going
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
It's going all over my head! Haha.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
