From: Mateusz Guzik Subject: Re: SYS_pinsyscalls question To: Mark Kettenis Cc: deraadt@openbsd.org, marc.espie.openbsd@gmail.com, tech@openbsd.org Date: Sun, 2 Mar 2025 23:58:33 +0100 On Sun, Mar 2, 2025 at 10:31 PM Mark Kettenis wrote: > Well, you're right that there is a potential race between threads > here. Although that can only happen if you write your own version of > ld.so that creates threads before pinning down the syscalls using > pinsyscalls(2). > [snip] > But at the same time, this is a solution for a problem that doesn't > really exist in reality. If someone really writes an ld.so > replacement that starts threads beforing calling pinsyscalls(2) they > deserve what they get. > I'm not claiming legitimate userspace will do this. I am claiming the stock code has a race here which has to be evaluated (for example if it can be used to panic the kernel). I implied this is something which will have to be looked at every time there are any changes to pinsyscalls. Finally I claim this is a potential attack vector which does not need to be there. If possible, calls into pinsyscalls from multithreaded processes would be disallowed to begin with. If that's not an option, the calling process can get other threads (if any) freeze execution for the duration. Either way, the problem disappears with no real complexity added. -- Mateusz Guzik