LWN: Comments on "Glibc project revisits infrastructure security"

Please fix the buggy rwlock!

PengZheng — Tue, 03 Jun 2025 09:15:49 +0000

Anyone follow my explanation in the bugzilla thread [0] will agree that this is obviously a severe bug.
It is common sense that infinite user space spin should almost NEVER be allowed.

This just illustrates the lack of testing infrastructure of glibc.

[0] https://sourceware.org/bugzilla/show_bug.cgi?id=31477#c9

Please fix the buggy rwlock!

PengZheng — Tue, 03 Jun 2025 08:43:24 +0000

I'm afraid that it is not, just as another commenter has already pointed out:

> glibc test-suite does not cover pthread well.

Please fix the buggy rwlock!

jwakely — Tue, 03 Jun 2025 08:25:57 +0000

This is completely off topic on an lwn article about the project infrastructure.

Some small Sourceware updates

mjw — Sun, 01 Jun 2025 23:11:41 +0000

The article is correct that the https://sourceware.org/sourceware-security-vision.html#plans page hadn't been updated for some time. There are some updates now. Also we added a sponsor@sourceware.org address to https://sourceware.org/donate.html in case people want to talk about sponsoring, donating hardware, services, etc.

We do like to not be totally dependent on corporate sponsorship, so we also take individual donations and grants. And encourage people to become Software Freedom Conservancy sustainers https://sfconservancy.org/sustainer/ and/or donate to the OSU Open Source Lab https://osuosl.org/donate

Please fix the buggy rwlock!

PengZheng — Thu, 29 May 2025 10:50:56 +0000

This issue is relatively trivial to reproduce and the impact is HUGE: billions of embedded multimedia devices might be affected.

"Fortunately", there is an easy way out: revert to the good old implementation by Ulrich Drepper.
I have done that 5-6 times in the past year for glibc toolchains from various SOC vendors.

To be honest, I really missed Ulrich Drepper.

Please fix the buggy rwlock!

ballombe — Thu, 29 May 2025 10:26:34 +0000

My experience is that glibc test-suite does not cover pthread well.

Please fix the buggy rwlock!

PengZheng — Thu, 29 May 2025 05:02:13 +0000

I should have mentioned that both musl and uclibc(-ng) do not have this issue.

Please fix the buggy rwlock!

PengZheng — Thu, 29 May 2025 05:00:09 +0000

Once again, I call for glibc developers take time to fix the buggy rwlock implementation introduced by Torvald Riegel, which make glibc's rwlock completely unusable with realtime tasks.

https://sourceware.org/bugzilla/show_bug.cgi?id=31477

This issue has extensive impact because OpenSSL use wrlock as ordinary mutex by default.

https://github.com/openssl/openssl/blob/3cb07553232812672...

And it impacts nearly all subsystems of OpenSSL.

https://github.com/openssl/openssl/blob/b372b1f76450acdfe...

I can safely tell that nearly all linux running real-time task using OpenSSL might be affected by this issue (like real-time video streaming over TLS connection).

Some small Sourceware updates

mjw — Thu, 29 May 2025 01:55:07 +0000

Thanks, that is a good overview of the current state. We really should update the Sourceware infrastructure security page with recent updates on the isolated services and the pull-request server, which turned into forge.sourceware.org (an experiment with Forgejo) also hosted in the Red Hat Community Cage on a separate VM now.

The opportunity to move to separate containers or VMs is not (just) because of the move to a new datacenter, but because Red Hat has been so generous to host an extra (bigger) server in the new community cage for us. That server will be installed before the move. So we have some time to setup the services on a new setup on a server big enough to run multiple VMs. And then we have three physical servers in the new place, after the existing servers also move there, to have extra redundancy.