Skip to content

fix(linux): prevent infinite re-exec loop under AppArmor#2239

Open
anishesg wants to merge 9 commits into
google:mainfrom
proudhare:fix/ph-issue-2184
Open

fix(linux): prevent infinite re-exec loop under AppArmor#2239
anishesg wants to merge 9 commits into
google:mainfrom
proudhare:fix/ph-issue-2184

Conversation

@anishesg

@anishesg anishesg commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

The MaybeReenterWithoutASLR() function in src/benchmark.cc caused infinite execv() loops when running benchmarks under AppArmor-enabled LSMs. The existing fix from #1985 only checked whether personality(ADDR_NO_RANDOMIZE) succeeded in the current process before calling execv(). However, some LSMs like AppArmor can silently reset personality flags during the execve() system call transition, even though the flag was successfully set in the parent process.

This fix implements a fork-based verification: before committing to re-exec the parent process, we fork a test child, exec it with a special argument, and have it report back whether ADDR_NO_RANDOMIZE actually survived the exec boundary. Only if the child confirms the flag persists do we proceed with re-executing the parent. This prevents infinite loops in environments where the LSM strips the personality flag during exec.

The test child is invoked with --benchmark_aslr_test_child=<fd>, checks its personality after exec, writes the result back through the provided file descriptor, and exits. This approach maintains hermeticity by using process arguments rather than environment variables.

Fixes #2184

The `MaybeReenterWithoutASLR()` function in `src/benchmark.cc` caused infinite execv() loops when running benchmarks under AppArmor-enabled LSMs. The existing fix from google#1985 only checked whether personality(ADDR_NO_RANDOMIZE) succeeded in the current process before calling execv(). However, some LSMs like AppArmor can silently reset personality flags during the execve() system call transition, even though the flag was successfully set in the parent process.

Signed-off-by: anish <anishesg@users.noreply.github.com>
Comment thread src/benchmark.cc Outdated
Comment thread src/benchmark.cc Outdated
Comment thread src/benchmark.cc Outdated
@LebedevRI

Copy link
Copy Markdown
Collaborator

Thank you for taking a look!
Can you repro the original issue?

This does roughly look how i imagined it would look.
But i'm not yet confident the fix is safe.

Comment thread src/benchmark.cc Outdated
LebedevRI and others added 2 commits July 2, 2026 22:20
…eap alloc

Signed-off-by: anish <anishesg@users.noreply.github.com>
@anishesg

anishesg commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

I haven't personally reproduced the original issue reported in #2184, but the reporter confirmed the infinite loop occurs on Ubuntu 24.04 with AppArmor enabled. The fork-based verification approach should be safe - if the personality doesn't survive exec, we just skip re-exec and continue normally.

Comment thread src/benchmark.cc Outdated

@LebedevRI LebedevRI left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please make the CI happy?

Comment thread src/benchmark.cc Outdated
Comment thread src/benchmark.cc
Comment thread src/benchmark.cc Outdated
Make CI pass, add some more error handling.
Ensure that we actually report that ASLR is still on in case we fail to unset it.

Co-authored-by: Roman Lebedev <lebedev.ri@gmail.com>
Comment thread src/benchmark.cc Outdated
Comment thread src/benchmark.cc Outdated
@LebedevRI LebedevRI self-requested a review July 4, 2026 00:15
Comment thread src/benchmark.cc Outdated
Comment thread src/benchmark.cc Outdated
@LebedevRI LebedevRI requested a review from dmah42 July 4, 2026 00:45

@LebedevRI LebedevRI left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dmah42 thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] MaybeReenterWithoutASLR() infinite loop under AppArmor (not covered by #1984 fix)

3 participants