ld-linux-x86-64.so.2 (dynamic linker/loader) calls `set_tid_address`, returning the native pid, before shadow gets control, and sometimes uses it after. (tgen, rust runtime)

[sporksmith]

If we look at the strace log of tgen processes in the tor minimal test, fairly near the beginning we get something like:

00:00:01.000000000 [tid 1000] sched_getaffinity(718573, 8, <pointer>) = -3 (ESRCH)

where 718573 is the native pid of the tgen process.

We can get a little better idea of what's going on by running strace over tgen natively:

$ strace -k tgen
...
set_tid_address(0x71db81b80f10)         = 715841
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(_dl_deallocate_tls+0x6ce) [0x1513e]
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(_dl_catch_error+0x3a38) [0x20e08]
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(_dl_catch_error+0x727c) [0x2464c]
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(_dl_catch_error+0x246c) [0x1f83c]
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(_dl_catch_error+0x41c8) [0x21598]
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(_dl_catch_error+0x2ec8) [0x20298]
...
sched_getaffinity(715841, 8, [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20]) = 8
 > /usr/lib/x86_64-linux-gnu/libc.so.6(pthread_getaffinity_np+0x20) [0x95cf0]
 > /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0(omp_test_nest_lock+0x296) [0x200e6]
 > /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0() [0xbfe2]
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(__nptl_change_stack_perm+0x12ce) [0x647e]
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(__nptl_change_stack_perm+0x13b8) [0x6568]
 > /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2(_dl_catch_error+0x2efa) [0x202ca]

It appears that in shadow we don't have control yet for the set_tid_address call, which returns the native pid, but do have control for the later sched_getaffinity call that uses it.

As far as I can tell the ESRCH that shadow ends up returning here doesn't have any ill effect, and this doesn't appear to cause the execution of tgen to otherwise diverge, but this difference shows up if we try diff'ing tgen strace logs.

[sporksmith]

I think this would be a tough one to fix.

To completely eliminate any syscalls happening before we get control, we'd need to install the seccomp policy before execing the managed program. However the current policy raises a signal on syscalls to be handled in an in-process signal handler in the shim. Therefore it'd be broken at this early stage before the shim is actually loaded into memory.

We could consider other approaches such as using ptrace to catch these early syscalls, or using a seccomp policy that delegates handling to the parent process instead of handling it in-process, but these have complexity and performance implications.

[sporksmith]

This also affects the rust runtime, as per #3626

[sporksmith]

As opara suggests, if we're able to get rid of the shim's dependency on libc (#2919), we might be able to get the shim to initialize before libc and get control before this set_tid_address syscall. (Possibly also using -z initfirst)

[sporksmith]

As opara suggests, if we're able to get rid of the shim's dependency on libc (#2919), we might be able to get the shim to initialize before libc and get control before this set_tid_address syscall. (Possibly also using -z initfirst)

Actually I'm not sure that would work after all, since the set_tid_address syscall is in the dynamic loader, not in libc. -z initfirst might let us initialize before libc does, but probably not before this dynamic loader init.

[stevenengler]

As opara suggests, if we're able to get rid of the shim's dependency on libc (#2919), we might be able to get the shim to initialize before libc and get control before this set_tid_address syscall. (Possibly also using -z initfirst)

Actually I'm not sure that would work after all, since the set_tid_address syscall is in the dynamic loader, not in libc. -z initfirst might let us initialize before libc does, but probably not before this dynamic loader init.

Ah, I missed that this was in the loader :( I'm a little bit confused since I thought it was the glibc lib that was responsible for setting up the TLS (or maybe they both do, depending on whether it's a static or dynamic binary?), but anyways my system seems to show set_tid_address coming from __tls_init_tp, as you mentioned in the other issue.

set_tid_address(0x7f2842f2ea10)         = 3526460
 > /usr/lib64/ld-linux-x86-64.so.2(__tls_init_tp+0x52) [0x13232]
 > /usr/lib64/ld-linux-x86-64.so.2(init_tls+0x12a) [0x1de3a]
 > /usr/lib64/ld-linux-x86-64.so.2(dl_main+0x29fa) [0x2119a]
 > /usr/lib64/ld-linux-x86-64.so.2(_dl_sysdep_start+0x85) [0x1cb35]
 > /usr/lib64/ld-linux-x86-64.so.2(_dl_start+0x5dd) [0x1e49d]
 > /usr/lib64/ld-linux-x86-64.so.2(_start+0x7) [0x1d187]

Rather than trying to intercept the set_tid_address syscall, another option could be making the pid/tid deterministic as a workaround. This could be done by running processes in a new pid namespace. But this has downsides, since it either requires root privileges (or some capability), or requires a new user namespace with privileges inside that namespace. Creating a new userns, mapping the root user in the userns, and creating a pidns would work on almost all distros except Ubuntu. On Ubuntu this means that shadow users would need to install an apparmor profile for Shadow.

But maybe we could make it a fallible feature, where non-Ubuntu users get better determinism than Ubuntu users. At least if/until we can implement a better solution.

Edit: This would also require mounting a new procfs. But I don't think that's very difficult. It's just more cruft to deal with.

[sporksmith]

I'm a little bit confused since I thought it was the glibc lib that was responsible for setting up the TLS

Yeah you'd think so. The loader is part of the glibc software though; just distinct from the libc.so dynamic library; maybe they pushed TLS init of the initial thread into the loader so that the loader itself can use it.

another option could be making the pid/tid deterministic as a workaround. This could be done by running processes in a new pid namespace.

Maybe. So far this doesn't appear to have caused any real problems outside of distracting noise when diffing straces to debug/test reproducibility, though.

In #3619 I marked the pid of sched_get_affinity as non-deterministic to just get rid of that distraction for now.

Another way to get control sooner without implementing our own dynamic loader would be to ptrace-attach between fork and exec and intercept syscalls via ptrace, like in the old ptrace-mode, until the shim is initialized. That's a lot of extra complexity to bring (back) in, though. It'd also make it trickier for the user to use gdb, though maybe we could extend the current debug-hosts feature to wait until we've ptrace-detached before prompting the user to attach.

But yeah in general I'm fine with just working around this in reproducibility testing since so far it doesn't seem to cause any real problems, and all of the "real" solutions are pretty complex.