From: Josselin Poiret via "Bug reports for GUILE, GNU's Ubiquitous Extension Language" <bug-guile@gnu.org>
To: "Ludovic Courtès" <ludo@gnu.org>, "Omar Polo" <op@omarpolo.com>
Cc: Andrew Whatson <whatson@tailcall.au>, 61095@debbugs.gnu.org
Subject: bug#61095: possible misuse of posix_spawn API on non-linux OSes
Date: Tue, 28 Mar 2023 18:10:27 +0200 [thread overview]
Message-ID: <87tty4svpo.fsf@jpoiret.xyz> (raw)
In-Reply-To: <87zg7xgqxz.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 3014 bytes --]
Hi Ludo,
Ludovic Courtès <ludo@gnu.org> writes:
> - posix_spawn_file_actions_addclose (actions, fd);
> + /* Adding invalid file descriptors to an 'addclose' action leads
> + to 'posix_spawn' failures on some operating systems:
> + <https://bugs.gnu.org/61095>. Hence the extra check. */
> + int flags = fcntl (max_fd, F_GETFD, NULL);
> + if ((flags >= 0) && ((flags & FD_CLOEXEC) == 0))
> + posix_spawn_file_actions_addclose (actions, max_fd);
> }
I'm worried about TOCTOU in multi-threaded contexts here, which is why I
opted for the heavy handed-approach here. In general I don't think we
can know in advance which fdes to close :/ It's a shame that the
posix_spawn actions fails on other kernels, since I don't really see a
way to mitigate this problem (apart from the new
posix_spawn_file_actions_addclosefrom_np as you mentioned). I don't
know what we could do here. Maybe not provide spawn? Or provide it in
spite of the broken fd closing?
> -
> - closedir (dirp);
> }
>
> static pid_t
> @@ -1366,6 +1345,26 @@ do_spawn (char *exec_file, char **exec_argv, char **exec_env,
> posix_spawn_file_actions_t actions;
> posix_spawnattr_t *attrp = NULL;
>
> + posix_spawn_file_actions_init (&actions);
> +
> + /* Duplicate IN, OUT, and ERR unconditionally to clear their
> + FD_CLOEXEC flag, if any. */
> + posix_spawn_file_actions_adddup2 (&actions, in, STDIN_FILENO);
> + posix_spawn_file_actions_adddup2 (&actions, out, STDOUT_FILENO);
> + posix_spawn_file_actions_adddup2 (&actions, err, STDERR_FILENO);
This won't work, and actually this was one of the original logic bugs I
was trying to fix. If err is equal to, let's say, STDIN_FILENO, then
the first call will overwrite the initial file descriptor at
STDIN_FILENO, and the second call won't do what the caller intended.
This is why I was moving them out of the way first, so that they would
not overwrite each other.
> + /* TODO: Use 'closefrom' where available. */
> +#if 0
> + /* Version 2.34 of the GNU libc provides this function. */
> + posix_spawn_file_actions_addclosefrom_np (&actions, 3);
> +#else
> + if (in > 2)
> + posix_spawn_file_actions_addclose (&actions, in);
> + if (out > 2 && out != in)
> + posix_spawn_file_actions_addclose (&actions, out);
> + if (err > 2 && err != out && err != in)
> + posix_spawn_file_actions_addclose (&actions, err);
Isn't this unneeded given we call close_inherited_fds below?
> [...]
>
> Josselin: I simplified the ‘dup2’ logic somewhat.
See my comments above.
> Guile does that for file descriptors it opens internally, but
> applications using ‘open-file’ without the recently-added “e” flag, or
> ‘socket’ without ‘SOCK_CLOEXEC’, etc., end up with more file descriptors
> that need to be taken care of.
>
> I wish the default were close-on-exec, but we’re not there yet.
+1
Best,
--
Josselin Poiret
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 682 bytes --]
next prev parent reply other threads:[~2023-03-28 16:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-27 11:51 bug#61095: possible misuse of posix_spawn API on non-linux OSes Omar Polo
2023-01-27 12:25 ` Omar Polo
2023-03-28 9:34 ` Ludovic Courtès
2023-03-28 16:10 ` Josselin Poiret via Bug reports for GUILE, GNU's Ubiquitous Extension Language [this message]
2023-03-29 22:30 ` Ludovic Courtès
2023-03-29 22:30 ` bug#61095: [PATCH 1/3] 'spawn' closes only open file descriptors on non-GNU/Linux systems Ludovic Courtès
2023-03-29 22:30 ` bug#61095: [PATCH 2/3] Remove racy optimized file descriptor closing loop in 'spawn' Ludovic Courtès
2023-03-29 22:30 ` bug#61095: [PATCH 3/3] Use 'posix_spawn_file_actions_addclosefrom_np' where available Ludovic Courtès
2023-03-30 20:21 ` bug#61095: possible misuse of posix_spawn API on non-linux OSes Josselin Poiret via Bug reports for GUILE, GNU's Ubiquitous Extension Language
2023-03-31 17:45 ` Omar Polo
2023-04-02 13:44 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tty4svpo.fsf@jpoiret.xyz \
--to=bug-guile@gnu.org \
--cc=61095@debbugs.gnu.org \
--cc=dev@jpoiret.xyz \
--cc=ludo@gnu.org \
--cc=op@omarpolo.com \
--cc=whatson@tailcall.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).