fix(linux): prevent infinite re-exec loop under AppArmor#2239
Open
anishesg wants to merge 9 commits into
Open
Conversation
The `MaybeReenterWithoutASLR()` function in `src/benchmark.cc` caused infinite execv() loops when running benchmarks under AppArmor-enabled LSMs. The existing fix from google#1985 only checked whether personality(ADDR_NO_RANDOMIZE) succeeded in the current process before calling execv(). However, some LSMs like AppArmor can silently reset personality flags during the execve() system call transition, even though the flag was successfully set in the parent process. Signed-off-by: anish <anishesg@users.noreply.github.com>
LebedevRI
reviewed
Jul 2, 2026
LebedevRI
reviewed
Jul 2, 2026
LebedevRI
reviewed
Jul 2, 2026
Collaborator
|
Thank you for taking a look! This does roughly look how i imagined it would look. |
LebedevRI
reviewed
Jul 2, 2026
…eap alloc Signed-off-by: anish <anishesg@users.noreply.github.com>
Contributor
Author
|
I haven't personally reproduced the original issue reported in #2184, but the reporter confirmed the infinite loop occurs on Ubuntu 24.04 with AppArmor enabled. The fork-based verification approach should be safe - if the personality doesn't survive exec, we just skip re-exec and continue normally. |
LebedevRI
reviewed
Jul 2, 2026
LebedevRI
reviewed
Jul 3, 2026
LebedevRI
left a comment
Collaborator
There was a problem hiding this comment.
Could you please make the CI happy?
LebedevRI
reviewed
Jul 3, 2026
LebedevRI
reviewed
Jul 4, 2026
LebedevRI
reviewed
Jul 4, 2026
Make CI pass, add some more error handling. Ensure that we actually report that ASLR is still on in case we fail to unset it. Co-authored-by: Roman Lebedev <lebedev.ri@gmail.com>
LebedevRI
reviewed
Jul 4, 2026
LebedevRI
reviewed
Jul 4, 2026
LebedevRI
reviewed
Jul 4, 2026
LebedevRI
reviewed
Jul 4, 2026
LebedevRI
approved these changes
Jul 4, 2026
dmah42
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
MaybeReenterWithoutASLR()function insrc/benchmark.cccaused infinite execv() loops when running benchmarks under AppArmor-enabled LSMs. The existing fix from #1985 only checked whether personality(ADDR_NO_RANDOMIZE) succeeded in the current process before calling execv(). However, some LSMs like AppArmor can silently reset personality flags during the execve() system call transition, even though the flag was successfully set in the parent process.This fix implements a fork-based verification: before committing to re-exec the parent process, we fork a test child, exec it with a special argument, and have it report back whether ADDR_NO_RANDOMIZE actually survived the exec boundary. Only if the child confirms the flag persists do we proceed with re-executing the parent. This prevents infinite loops in environments where the LSM strips the personality flag during exec.
The test child is invoked with
--benchmark_aslr_test_child=<fd>, checks its personality after exec, writes the result back through the provided file descriptor, and exits. This approach maintains hermeticity by using process arguments rather than environment variables.Fixes #2184