Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privilege escalation can deadlock #3910

Closed
mjstapp opened this issue Mar 5, 2019 · 0 comments
Closed

Privilege escalation can deadlock #3910

mjstapp opened this issue Mar 5, 2019 · 0 comments
Labels
bug
Milestone
7.0

Comments

@mjstapp
Copy link
Contributor

mjstapp commented Mar 5, 2019
edited
Loading

Privilege elevation is process-wide; if a multithreaded process has code paths that allow multiple threads to race to call the elevation api, the process can deadlock.

Here's an example backtrace, from zebra:

(gdb) bt
#0 futex_wait (private=0, expected=1, futex_word=0xffffa9026230) at ../sysdeps/unix/sysv/linux/futex-internal.h:61
#1 futex_wait_simple (private=0, expected=1, futex_word=0xffffa9026230) at ../sysdeps/nptl/futex-internal.h:135
#2 __nptl_setxid (cmdp=0xffffa9026210) at allocatestack.c:1180
#3 0x0000ffffa9453818 in __GI_seteuid (uid=) at ../sysdeps/unix/sysv/linux/seteuid.c:34
#4 __GI_seteuid (uid=) at ../sysdeps/unix/sysv/linux/seteuid.c:24
#5 0x0000ffffa97a025c in zprivs_change_uid (op=ZPRIVS_LOWER) at lib/privs.c:647
#6 0x0000ffffa97a03a4 in _zprivs_lower (privs=0xffffa90262e8) at lib/privs.c:727
#7 0x0000aaaaca9565b4 in netlink_talk_info (filter=0xaaaaca954b40 <netlink_talk_filter>, n=0xffffa9028398, dp_info=0xaaab3da829f0, startup=0) at zebra/kernel_netlink.c:976
#8 0x0000aaaaca960b48 in netlink_route_multipath (cmd=24, ctx=0xaaab3da82920) at zebra/rt_netlink.c:1757
#9 0x0000aaaaca960dac in kernel_route_update (ctx=0xaaab3da82920) at zebra/rt_netlink.c:1854
#10 0x0000aaaaca96d770 in kernel_dplane_route_update (ctx=0xaaab3da82920) at zebra/zebra_dplane.c:1751
#11 0x0000aaaaca96d848 in kernel_dplane_process_func (prov=0xaaab09173bc0) at zebra/zebra_dplane.c:1788
#12 0x0000aaaaca96e008 in dplane_thread_loop (event=0xffffa902a870) at zebra/zebra_dplane.c:2184
#13 0x0000ffffa97c1100 in thread_call (thread=0xffffa902a870) at lib/thread.c:1607
#14 0x0000ffffa976c13c in fpt_run (arg=0xaaab092a21f0) at lib/frr_pthread.c:269
#15 0x0000ffffa95047e4 in start_thread (arg=0xffffedb1a62f) at pthread_create.c:486
#16 0x0000ffffa945a98c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78
(gdb)
@mjstapp mjstapp mentioned this issue Mar 5, 2019
Merged
@qlyoung qlyoung added the bug label Mar 5, 2019
@qlyoung qlyoung added this to the 7.0 milestone Mar 5, 2019
@qlyoung qlyoung closed this as completed Mar 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
7.0
Development

No branches or pull requests
2 participants
@qlyoung @mjstapp