Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Safe 2.35 localizing %SIG

4 views
Skip to first unread message

David Cantrell

unread,
May 21, 2013, 7:15:21 PM5/21/13
to perl5-...@perl.org
I've been bitten by the localizing of %SIG in the latest Safe.pm. I'm
using a SIG ALRM to have execution of the Safe compartment time out:
https://metacpan.org/source/DCANTRELL/CPAN-ParseDistribution-1.4/lib/CPAN/ParseDistribution.pm#L186

and this no longer works. I can see why locally undefing %SIG is probably a
good idea, but it would be Really Good if there was a way of controlling
this so that I could specify that I want to be able to handle particular
signals.

Other things: the documentation still warns about the risks of signals,
without making clear what's going to happen; localizing $SIG and @SIG as
well as %SIG is probably not what was intended; and finally, can anyone
think of a clean, simple alternative that I can use for timing out a Safe
compartment?

--
David Cantrell | Pope | First Church of the Symmetrical Internet

Eye have a spelling chequer / It came with my pea sea
It planely marques four my revue / Miss Steaks eye kin knot sea.
Eye strike a quay and type a word / And weight for it to say
Weather eye am wrong oar write / It shows me strait a weigh.

Rafael Garcia-Suarez

unread,
May 22, 2013, 5:48:39 AM5/22/13
to David Cantrell, perl5-...@perl.org
On 22 May 2013 01:15, David Cantrell <da...@cantrell.org.uk> wrote:
> I've been bitten by the localizing of %SIG in the latest Safe.pm. I'm
> using a SIG ALRM to have execution of the Safe compartment time out:
> https://metacpan.org/source/DCANTRELL/CPAN-ParseDistribution-1.4/lib/CPAN/ParseDistribution.pm#L186
>
> and this no longer works. I can see why locally undefing %SIG is probably a
> good idea, but it would be Really Good if there was a way of controlling
> this so that I could specify that I want to be able to handle particular
> signals.

I have a working exploit against earlier safes that uses SIGCHLD to
execute untrusted code, but it can be adapted to use any other signal.
I can send it to you if you're interested.

> Other things: the documentation still warns about the risks of signals,
> without making clear what's going to happen; localizing $SIG and @SIG as
> well as %SIG is probably not what was intended; and finally, can anyone
> think of a clean, simple alternative that I can use for timing out a Safe
> compartment?

I localized *SIG to remove all magic from it. Localizing %SIG is not
enough (it does not fix the vulnerability).

David Cantrell

unread,
May 22, 2013, 5:30:19 PM5/22/13
to perl5-...@perl.org
On Wed, May 22, 2013 at 11:48:39AM +0200, Rafael Garcia-Suarez wrote:
> On 22 May 2013 01:15, David Cantrell <da...@cantrell.org.uk> wrote:
> > I've been bitten by the localizing of %SIG in the latest Safe.pm. I'm
> > using a SIG ALRM to have execution of the Safe compartment time out:
> > https://metacpan.org/source/DCANTRELL/CPAN-ParseDistribution-1.4/lib/CPAN/ParseDistribution.pm#L186
> > and this no longer works. I can see why locally undefing %SIG is probably a
> > good idea, but it would be Really Good if there was a way of controlling
> > this so that I could specify that I want to be able to handle particular
> > signals.
> I have a working exploit against earlier safes that uses SIGCHLD to
> execute untrusted code, but it can be adapted to use any other signal.
> I can send it to you if you're interested.

I believe you!

I've just spent an unproductive couple of hours trying to patch Safe.pm
to allow me to give it a list of signals that I want to leave working
anyway regardless of the potential problems, but couldn't figure out a
clean way of getting them through the evals. Ah well, I'll just have to
find another way of getting my timeout to work.
--
David Cantrell | semi-evolved ape-thing

The Law of Daves: in any gathering of technical people, the
number of Daves will be greater than the number of women.

Leon Timmermans

unread,
May 22, 2013, 6:57:50 PM5/22/13
to David Cantrell, perl5-...@perl.org
On Wed, May 22, 2013 at 11:30 PM, David Cantrell <da...@cantrell.org.uk> wrote:
> I believe you!
>
> I've just spent an unproductive couple of hours trying to patch Safe.pm
> to allow me to give it a list of signals that I want to leave working
> anyway regardless of the potential problems, but couldn't figure out a
> clean way of getting them through the evals. Ah well, I'll just have to
> find another way of getting my timeout to work.

POSIX::sigaction() may allow you to create an escape hatch…

Leon

David Cantrell

unread,
May 24, 2013, 7:21:03 AM5/24/13
to perl5-...@perl.org
> POSIX::sigaction() may allow you to create an escape hatch???

I don't think so - looks like it still relies on %SIG.

I think the solution will be to fork() off a child and run the Safe
compartment in that, killing off the child if it runs for too long. I
can return data from the child to the parent by serialising it to a temp
file or over a socket.

Handily, Parallel::ForkManager appears to support most of this already.

--
David Cantrell | Hero of the Information Age
0 new messages