Block signals when freeing the stack for a detached thread (#126)

sunfishcode · web-flow · commit df6d452fa09a · 2024-08-23T08:35:11.000-07:00
When a detached thread exits, it frees its own stack, creating a window between the time when the stack is freed and the thread exits. If a signal is delivered to the thread in that window, it will attempt to run on the freed stack. To avoid this hazard, use `rustix::runtime::sigprocmask` to block all signals on the thread before freeing the stack. This causes all process-directed signals to be delivered to a different thread in the process. A slight infelicity is that thread-directed symbols directed at the detached thread that arrive during this time will be silently ignored. However, since such signals would already be racing with the thread exit, so there's no guarantee they won't be delivered after the exit and therefore to a different thread that reuses the tid. So this problem is arguably unobservable. Fixes #125.
diff --git a/src/thread/linux_raw.rs b/src/thread/linux_raw.rs
@@ -27,6 +27,8 @@ use rustix::mm::{mmap_anonymous, mprotect, MapFlags, MprotectFlags, ProtFlags};
 use rustix::param::{linux_execfn, page_size};
 use rustix::process::{getrlimit, Resource};
 use rustix::runtime::{exe_phdrs, set_tid_address};
+#[cfg(feature = "signal")]
+use rustix::runtime::{sigprocmask, How, Sigset};
 use rustix::thread::gettid;
 
 /// An opaque pointer to a thread.
@@ -713,6 +715,14 @@ unsafe fn exit(return_value: Option<NonNull<c_void>>) -> ! {
             // memory that we've freed trying to clear our tid when we exit.
             let _ = set_tid_address(null_mut());
 
+            // In preparation for freeing the stack, block all signals, so that
+            // no signals for the process are delivered to this thread.
+            #[cfg(feature = "signal")]
+            {
+                let all = Sigset { sig: [!0] };
+                sigprocmask(How::BLOCK, Some(&all)).ok();
+            }
+
             // `munmap` the memory, which also frees the stack we're currently
             // on, and do an `exit` carefully without touching the stack.
             let map = current_stack_addr.cast::<u8>().sub(current_guard_size);
