Lock OS threads when exec'ing with Pdeathsig

corhere · corhere · commit b90a4ad89205 · 2022-10-05T12:18:03.000-04:00
On Linux, when (os/exec.Cmd).SysProcAttr.Pdeathsig is set, the signal will be sent to the process when the OS thread on which cmd.Start() was executed dies. The runtime terminates an OS thread when a goroutine exits after being wired to the thread with runtime.LockOSThread(). If other goroutines are allowed to be scheduled onto a thread which called cmd.Start(), an unrelated goroutine could cause the thread to be terminated and prematurely signal the command. See golang/go#27505 for more information. Prevent started subprocesses with Pdeathsig from getting signaled prematurely by wiring the starting goroutine to the OS thread until the subprocess has exited. No other goroutines can be scheduled onto a locked thread so it will remain alive until unlocked or the daemon process exits. Signed-off-by: Cory Snider <csnider@mirantis.com>
diff --git a/chrootarchive/archive_unix.go b/chrootarchive/archive_unix.go
@@ -95,6 +95,12 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T
 	cmd.Stdout = output
 	cmd.Stderr = output
 
+	// reexec.Command() sets cmd.SysProcAttr.Pdeathsig on Linux, which
+	// causes the started process to be signaled when the creating OS thread
+	// dies. Ensure that the reexec is not prematurely signaled. See
+	// https://go.dev/issue/27505 for more information.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
 	if err := cmd.Start(); err != nil {
 		w.Close()
 		return fmt.Errorf("Untar error on re-exec cmd: %v", err)
@@ -188,15 +194,27 @@ func invokePack(srcPath string, options *archive.TarOptions, root string) (io.Re
 		return nil, errors.Wrap(err, "error getting options pipe for tar process")
 	}
 
-	if err := cmd.Start(); err != nil {
-		return nil, errors.Wrap(err, "tar error on re-exec cmd")
-	}
-
+	started := make(chan error)
 	go func() {
+		// reexec.Command() sets cmd.SysProcAttr.Pdeathsig on Linux,
+		// which causes the started process to be signaled when the
+		// creating OS thread dies. Ensure that the subprocess is not
+		// prematurely signaled. See https://go.dev/issue/27505 for more
+		// information.
+		runtime.LockOSThread()
+		defer runtime.UnlockOSThread()
+		if err := cmd.Start(); err != nil {
+			started <- err
+			return
+		}
+		close(started)
 		err := cmd.Wait()
 		err = errors.Wrapf(err, "error processing tar file: %s", errBuff)
 		tarW.CloseWithError(err)
 	}()
+	if err := <-started; err != nil {
+		return nil, errors.Wrap(err, "tar error on re-exec cmd")
+	}
 
 	if err := json.NewEncoder(stdin).Encode(options); err != nil {
 		stdin.Close()
diff --git a/chrootarchive/diff_unix.go b/chrootarchive/diff_unix.go
@@ -115,6 +115,12 @@ func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions
 	outBuf, errBuf := new(bytes.Buffer), new(bytes.Buffer)
 	cmd.Stdout, cmd.Stderr = outBuf, errBuf
 
+	// reexec.Command() sets cmd.SysProcAttr.Pdeathsig on Linux, which
+	// causes the started process to be signaled when the creating OS thread
+	// dies. Ensure that the reexec is not prematurely signaled. See
+	// https://go.dev/issue/27505 for more information.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
 	if err = cmd.Run(); err != nil {
 		return 0, fmt.Errorf("ApplyLayer %s stdout: %s stderr: %s", err, outBuf, errBuf)
 	}
