From 921b12ca0c361b9c543368edf057712afa02ca14 Mon Sep 17 00:00:00 2001 From: Tony Finch Date: Tue, 7 Jun 2011 16:48:44 +0100 Subject: exiwhat: Ensure the SIGUSR1 signal handler is safe. exiwhat sends a SIGUSR1 to all exim processes to make them write their status to the process log. This is all done in the signal handler, but the logging code makes a number of calls that are not signal safe. These can all cause crashes or recursive locking in libc. Firstly, obtaining and formatting the timestamp is not safe. Doing so is unnecessary since exiwhat strips off the timestamp. This change removes timestamps from the process log. Secondly, exim closes all the logs after writing the process log. Closing syslog is not signal safe, and isn't necessary. We now only close the process log after writing to it. Thirdly, exim may calculate the process_log_path inside the signal handler which involves some possibly-unsafe string handling code. This change calculates the path when reading the configuration. Fourthly, when exim creates the process log file it might have to call the unsafe directory_create() though this is unlikely in practice. After this change exim only calls log_create() in a subprocess which is safe - it sometimes needs to do so anyway, if it is running as root and needs to drop privileges. The new code has no process log handling in log.c which eliminates some awkward special cases. It uses very simple code to write to the file in the signal handler, so it is obviously safe by inspection. --- doc/doc-txt/ChangeLog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'doc/doc-txt') diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 8ca5d85af..3af14c39e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -17,6 +17,21 @@ TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o TF/02 Fix a couple more cases where we did not log the error message when unlink() failed. See also change 4.74-TF/03. +TF/03 Make the exiwhat support code safe for signals. Previously Exim might + lock up or crash if it happened to be inside a call to libc when it + got a SIGUSR1 from exiwhat. + + The SIGUSR1 handler appends the current process status to the process + log which is later printed by exiwhat. It used to use the general + purpose logging code to do this, but several functions it calls are + not safe for signals. + + The new output code in the SIGUSR1 handler is specific to the process + log, and simple enough that it's easy to inspect for signal safety. + Removing some special cases also simplifies the general logging code. + Removing the spurious timestamps from the process log simplifies + exiwhat. + Exim version 4.76 ----------------- -- cgit v1.2.3