Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Our fork/exec spawning is unsafe #3494

Closed
RAOF opened this issue Jul 17, 2024 · 3 comments · Fixed by #3591
Closed

Our fork/exec spawning is unsafe #3494

RAOF opened this issue Jul 17, 2024 · 3 comments · Fixed by #3591

Comments

@RAOF
Copy link
Contributor

RAOF commented Jul 17, 2024
edited
Loading

exec_wayland() is called after fork():

mir/src/server/frontend_xwayland/xwayland_server.cpp

Lines 53 to 98 in 953de04

void exec_xwayland(
mf::XWaylandSpawner const& spawner,
std::string const& xwayland_path,
mir::Fd wayland_client_fd,
mir::Fd x11_wm_server_fd,
float scale)
{
mf::XWaylandSpawner::set_cloexec(wayland_client_fd, false);
mf::XWaylandSpawner::set_cloexec(x11_wm_server_fd, false);
setenv("WAYLAND_SOCKET", std::to_string(wayland_client_fd).c_str(), 1);
auto const x11_wm_server = std::to_string(x11_wm_server_fd);
auto const dsp_str = spawner.x11_display();
// This DPI only effects some apps (most app care about GDK_SCALE and other environment variables)
unsigned const dpi = scale * 96;
auto const dpi_str = std::to_string(dpi);
std::vector<char const*> args =
{
xwayland_path.c_str(),
dsp_str.c_str(),
"-rootless",
"-dpi",
dpi_str.c_str(),
"-wm", x11_wm_server.c_str(),
"-terminate",
};
for (auto const& fd : spawner.socket_fds())
{
mf::XWaylandSpawner::set_cloexec(fd, false);
args.push_back("-listen");
// strdup() may look like a leak, but execvp() will trash all resource management
args.push_back(strdup(std::to_string(fd).c_str()));
}
if (auto const xwayland_option = getenv("MIR_XWAYLAND_OPTION"))
args.push_back(xwayland_option);
args.push_back(nullptr);
execvp(xwayland_path.c_str(), const_cast<char* const*>(args.data()));
perror(("Failed to execute Xwayland binary: xwayland_path='" + xwayland_path + "'").c_str());
}

Unfortunately, man 2 fork says:

After a fork() in a multithreaded program, the child can safely call only async-signal-safe functions (see signal-safety(7)) until such time as it calls execve(2).

We should instead do as much setup as possible in the parent, and then call fork(). (Amusingly, even execvp is not async-signal-safe 🤦‍♀️ )
@AlanGriffiths AlanGriffiths mentioned this issue Jul 18, 2024
Merged
@AlanGriffiths
Copy link
Contributor

Amusingly, even execvp is not async-signal-safe

That probably doesn't matter: we should use execve() directly (we default xwayland-path to "/usr/bin/Xwayland", which doesn't need PATH handling)

@RAOF RAOF changed the title XWayland spawning is unsafe Our fork/exec spawning is unsafe Jul 19, 2024
@RAOF
Copy link
Contributor Author

RAOF commented Jul 19, 2024

Oops! When reviewing #3497 I also see that miral::launch_app_env suffers from the same problems.

@RAOF RAOF mentioned this issue Sep 6, 2024
Merged
@AlanGriffiths
Copy link
Contributor

in #3588 @RAOF asked:

This is a partial fix for #3494, right? It's not a full fix for that?

True. There's still...

mir/src/miral/launch_app.cpp

Lines 110 to 116 in ecc4899

std::vector<char const*> exec_args;
for (auto const& arg : app)
exec_args.push_back(arg.c_str());
exec_args.push_back(nullptr);
...that clearly needs fixing to avoid allocations.

We also need to deal with the {un,}setenv() calls. By my reading these are not "async-signal-safe". I think we should be using execvpe().

@AlanGriffiths AlanGriffiths mentioned this issue Sep 9, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Sep 11, 2024
@AlanGriffiths
Rework miral::launch_app_env() to avoid calling functions that are …
2ef1ecf 
…not async-signal-safe after fork() (#3591)

Fixes: #3494
Saviq pushed a commit that referenced this issue Sep 23, 2024
@AlanGriffiths @Saviq
Rework miral::launch_app_env() to avoid calling functions that are …
c8a0ce4 
…not async-signal-safe after fork() (#3591)

Fixes: #3494
@Saviq Saviq mentioned this issue Sep 24, 2024
Merged
Saviq pushed a commit that referenced this issue Sep 25, 2024
@AlanGriffiths @Saviq
Rework miral::launch_app_env() to avoid calling functions that are …
35785da 
…not async-signal-safe after fork() (#3591)

Fixes: #3494
Saviq added a commit that referenced this issue Sep 27, 2024
@Saviq
Bugfix release 2.18.1
24a3a18 
Enhancements:
. Allow to specify an app id for when running on the wayland platform #3614

Bugs fixed:
. SIGSEGV on input device disconnection #3601
. Frame fails to enforce fullscreen on wpe-webkit-mir-kiosk #3600
. Chromium unmaximises when focus is lost #3592
. Apps constantly resizing #3573
. Our fork/exec spawning is unsafe #3494
. Revert "Fix random leak" #3609
. Smoke tests are failing #3610
Saviq added a commit that referenced this issue Sep 27, 2024
@Saviq
Bugfix release 2.18.2
824d0ef 
Enhancements:
. Allow to specify an app id for when running on the wayland platform #3614

Bugs fixed:
. SIGSEGV on input device disconnection #3601
. Frame fails to enforce fullscreen on wpe-webkit-mir-kiosk #3600
. Chromium unmaximises when focus is lost #3592
. Apps constantly resizing #3573
. Our fork/exec spawning is unsafe #3494
. Revert "Fix random leak" #3609
. Smoke tests are failing #3610
github-merge-queue bot pushed a commit that referenced this issue Sep 30, 2024
@Saviq
Release 2.18.2 (#3603)
4d066de 
>  Release 2.18.2
>
>  Enhancements:
>  - #3614
>  - #3617
>
>  Bugs fixed:
>   - #3601
>   - #3600
>   - #3592
>   - #3573
>   - #3494
>   - #3609
>   - #3610
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@RAOF @AlanGriffiths