From patchwork Tue May 21 13:12:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 797965 Delivered-To: patch@linaro.org Received: by 2002:adf:e68e:0:b0:351:d90a:5487 with SMTP id r14csp2379930wrm; Tue, 21 May 2024 06:13:30 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXzWMLDEJUVxg+pganfjHMGEhMEb3AHpqId1HTb3PL8jgDy+hwTRijettzTCX8uBzylrJMbSW7PTcOSDUyXwUIX X-Google-Smtp-Source: AGHT+IHvXU26lEL6PJGZjZFU/FeLLzLeZLj1NqgOsBc2KkugV/Ie/Qw+1o+CZ9dthXBdw3GXJ8wp X-Received: by 2002:aca:170c:0:b0:3c9:68d3:f9e9 with SMTP id 5614622812f47-3c9970485b5mr35784641b6e.13.1716297210368; Tue, 21 May 2024 06:13:30 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716297210; cv=pass; d=google.com; s=arc-20160816; b=Rx5PG2H2+khgwdp46e7Xkg6rmZWEVSYQO411MKl/K83zguaUVaEriK8qaIINfN/TG4 BZ8glLeENQnvlGqH1B+Gwq19cvYMkoLrfGA5bvFHiofi2gzNKwV6FhIblvJVKEHE+rRe P1ktqIuuHO2yLjF0O9/310hBgNp3oqPrjYYclT6a2yWF/FlpzSM5P8RKcrAoMzXIzPqP bmUeXerBULFSEnDyA5H8JOp35Y6emLOUBhNwLWuuKOija7YZA1oIevlbZ253V97B+4G7 rD/yfiwHVCiHlaUhUTv8nIaNemhxOXKBH1WkM9xl8BYW8hIF+3Nto69/kmo83SjWYoc8 w1Eg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=AWXzEMmhbXy6ygigB5giikQ9ZZ0wZAas7GZufHVpJs8=; fh=XRtpeyGeZ4wfnaKXv/WSa55z+Edg9xHnbRpDFwWXh3o=; b=YjfVZR+2pkkeyxkgc34d2NVi38qUwY/43H163onurso1L6aZMkW0Ofly+OrRS8GGfe gRkuFd5X8btCgP4g3BiBBsjg5wpKQC1oJCOiPovYG+yErCEkT49vz264yx60k/jjlGFe BvAW5dJ5cT3Y9eJU43ztVtB/IPZCQSlXK7fAz4ipQnRUmBVL8ADpCTST5VgEvO8ThCPr LbrzkRULzNZMBgaoN9uC41VcTqPybSVqNp9ONUXvoII73oti24McjOlfRcsFKkKuRNw4 z9yeiQytanb8HYYImNhIy2Ct2ftVLRBJm3jw8XZ+U/DCt9h6ogbFa2wtcFMkiBE8qag7 tXGQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dnkCuVpT; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id af79cd13be357-792bf361fccsi638695785a.547.2024.05.21.06.13.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 06:13:30 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dnkCuVpT; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id F3257384AB47 for ; Tue, 21 May 2024 13:13:29 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by sourceware.org (Postfix) with ESMTPS id 928BE3858D1E for ; Tue, 21 May 2024 13:13:18 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 928BE3858D1E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 928BE3858D1E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::62d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1716297200; cv=none; b=IVP/AW097FMrt4ivcN3bEb4phWn3zLeYZPK1se8fpzqVam5dGkCUqqYvS2FfHaqgYpZqIU8RWIj0miHhlioUBLZicuqsZXl443HrbyKhurLqH1NI6fTfSjH9/tQyFiRLszl1vrLl3WT2MK+Rk9wFqqQ94idGypsfcSMhrrcKhpo= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1716297200; c=relaxed/simple; bh=Ah9RhFZBgYkOgCGfYZxuyNgGV0qloG++P3keMQoCgy4=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=H29fDhw8LSGcrMNALnjREyWA/C6m0ubAjy6K9HGkGcoOt27F+dtyHLhzP9AKGtl4sQ5CjhPz940sc5wMlsb3SsLKuOaMKf6Q9sEvO78YP7T3FW8lvpRJ05bN1jnqSfIJ89dzO8MhTnaif+zq5+NBJ6wJdc/TiprScP3JVQim1rg= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1ee5235f5c9so102446665ad.2 for ; Tue, 21 May 2024 06:13:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1716297197; x=1716901997; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AWXzEMmhbXy6ygigB5giikQ9ZZ0wZAas7GZufHVpJs8=; b=dnkCuVpT63axlCOOl4BNnh7+gz9J28staHEuJ7jdgVfd2NSRbkH2Qc30uSpMRx54/I 5BVeBbx08FnHK0nYnsyRhP5RqHkD0hSFTTi1tAtfi4bDZvobadOioupiyj7Jethdqq/j i/6TQYr/gbI4+ePWAJoXkdrframIDFjmZJJtAMury1XTo2HY6XCgSiGqazcKiIM9Bx/q /bp/BUKMSzgeCUxUloeA/Q4jh8iS5Mk16CtRIPnnpsECttVWfziIpOkIpW7IxkSfhOz9 8WYs1JZK5vE0Cf5SotvGtWz9bzPluUjefMngPOCCRDLGRzt4/RfIFcbrUmhGx7RdE2f7 +Hxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716297197; x=1716901997; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AWXzEMmhbXy6ygigB5giikQ9ZZ0wZAas7GZufHVpJs8=; b=fh8fA9txyWjG6qbp161wventX7JnZ8neGHyNaVWkSFK25qofClvHhJ1489zkTsnEGc yQbhVewXiSYwbUgFWYlso9HzwMjUQAOfvyZ1f1YQsiyoG3mupUorGyeMg4rHk5+yA0mm zxPHZ5W9SlEID1uxxUZvDcBmXqDphmD6wriFCOW358JptymNoBVoggPoR0YGFDyuwzUi tQHGRyA4QaXlr3ov37/w6MYPJufaJ7xadCx61yTJkH0Qv7TYXfuP0s73CKGEXCHDtn7f ziN6znB/oGmd8ddUZC94UCdgtHw51/8CtWnjX4cIu0gWcrNba5Ll4Nm3RrTGzFVvIv5n yLHQ== X-Gm-Message-State: AOJu0Yz/EaNJCCjIwLyk/d/YE18LfqTwWUtINOH6uLQATve3zxeLbPjM lyqdsmjRLGCpwCLJWv6ZRJB9uCogMvQ7M10zIg4ESV1EjhKuYmypPYcPnNTZqN85ZTsltyM9OA5 s X-Received: by 2002:a17:902:7618:b0:1e3:e0a2:4fb8 with SMTP id d9443c01a7336-1ef43d2e1dbmr300054995ad.30.1716297196934; Tue, 21 May 2024 06:13:16 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c2:f76a:a4a6:1329:be7a:c724]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1ef0c13699dsm222339675ad.239.2024.05.21.06.13.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 06:13:16 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Peter Cawley Subject: [PATCH v3] posix: Fix pidfd_spawn/pidfd_spawnp leak if execve fails (BZ 31695) Date: Tue, 21 May 2024 10:12:21 -0300 Message-ID: <20240521131311.604831-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Status: No, score=-12.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org If the pidfd_spawn/pidfd_spawnp helper process succeeds, but evecve fails for some reason (either with an invalid/non-existent, memory allocation, etc.) the resulting pidfd is never closed, nor returned to caller (so it can call close). Since the process creation failed, it should be up to posix_spawn to also, close the file descriptor in this case (similar to what it does to reap the process). This patch also changes the waitpid with waitid (P_PIDFD) for pidfd case, to avoid a possible pid re-use. Checked on x86_64-linux-gnu. Reviewed-by: Carlos O'Donell --- Changes from v2: * Use waitid (P_PIDFD) for the pidfd case. Changes from v1: * Use __close_nocancel_nostatus instead of __close. --- posix/tst-spawn2.c | 80 +++++++++++++++++++------------- sysdeps/unix/sysv/linux/spawni.c | 23 ++++++--- 2 files changed, 64 insertions(+), 39 deletions(-) diff --git a/posix/tst-spawn2.c b/posix/tst-spawn2.c index bb507204a2..b2bad3f1f7 100644 --- a/posix/tst-spawn2.c +++ b/posix/tst-spawn2.c @@ -26,6 +26,7 @@ #include #include +#include #include int @@ -38,38 +39,53 @@ do_test (void) char * const args[] = { 0 }; PID_T_TYPE pid = -1; - int ret = POSIX_SPAWN (&pid, program, 0, 0, args, environ); - if (ret != ENOENT) - { - errno = ret; - FAIL_EXIT1 ("posix_spawn: %m"); - } - - /* POSIX states the value returned on pid variable in case of an error - is not specified. GLIBC will update the value iff the child - execution is successful. */ - if (pid != -1) - FAIL_EXIT1 ("posix_spawn returned pid != -1 (%i)", (int) pid); - - /* Check if no child is actually created. */ - TEST_COMPARE (WAITID (P_ALL, 0, NULL, WEXITED), -1); - TEST_COMPARE (errno, ECHILD); - - /* Same as before, but with posix_spawnp. */ - char *args2[] = { (char*) program, 0 }; - - ret = POSIX_SPAWNP (&pid, args2[0], 0, 0, args2, environ); - if (ret != ENOENT) - { - errno = ret; - FAIL_EXIT1 ("posix_spawnp: %m"); - } - - if (pid != -1) - FAIL_EXIT1 ("posix_spawnp returned pid != -1 (%i)", (int) pid); - - TEST_COMPARE (WAITID (P_ALL, 0, NULL, WEXITED), -1); - TEST_COMPARE (errno, ECHILD); + { + struct support_descriptors *descrs = support_descriptors_list (); + + int ret = POSIX_SPAWN (&pid, program, 0, 0, args, environ); + if (ret != ENOENT) + { + errno = ret; + FAIL_EXIT1 ("posix_spawn: %m"); + } + + /* POSIX states the value returned on pid variable in case of an error + is not specified. GLIBC will update the value iff the child + execution is successful. */ + if (pid != -1) + FAIL_EXIT1 ("posix_spawn returned pid != -1 (%i)", (int) pid); + + /* Check if no child is actually created. */ + TEST_COMPARE (WAITID (P_ALL, 0, NULL, WEXITED), -1); + TEST_COMPARE (errno, ECHILD); + + /* Also check if there is no leak descriptors. */ + support_descriptors_check (descrs); + support_descriptors_free (descrs); + } + + { + /* Same as before, but with posix_spawnp. */ + char *args2[] = { (char*) program, 0 }; + + struct support_descriptors *descrs = support_descriptors_list (); + + int ret = POSIX_SPAWNP (&pid, args2[0], 0, 0, args2, environ); + if (ret != ENOENT) + { + errno = ret; + FAIL_EXIT1 ("posix_spawnp: %m"); + } + + if (pid != -1) + FAIL_EXIT1 ("posix_spawnp returned pid != -1 (%i)", (int) pid); + + TEST_COMPARE (WAITID (P_ALL, 0, NULL, WEXITED), -1); + TEST_COMPARE (errno, ECHILD); + + support_descriptors_check (descrs); + support_descriptors_free (descrs); + } return 0; } diff --git a/sysdeps/unix/sysv/linux/spawni.c b/sysdeps/unix/sysv/linux/spawni.c index e8ed2babb9..f57e92815e 100644 --- a/sysdeps/unix/sysv/linux/spawni.c +++ b/sysdeps/unix/sysv/linux/spawni.c @@ -449,13 +449,22 @@ __spawnix (int *pid, const char *file, caller to actually collect it. */ ec = args.err; if (ec > 0) - /* There still an unlikely case where the child is cancelled after - setting args.err, due to a positive error value. Also there is - possible pid reuse race (where the kernel allocated the same pid - to an unrelated process). Unfortunately due synchronization - issues where the kernel might not have the process collected - the waitpid below can not use WNOHANG. */ - __waitpid (new_pid, NULL, 0); + { + /* There still an unlikely case where the child is cancelled after + setting args.err, due to a positive error value. Also there is + possible pid reuse race (where the kernel allocated the same pid + to an unrelated process). Unfortunately due synchronization + issues where the kernel might not have the process collected + the waitpid below can not use WNOHANG. */ + __waitid (use_pidfd ? P_PIDFD : P_PID, + use_pidfd ? args.pidfd : new_pid, + NULL, + WEXITED); + /* For pidfd we need to also close the file descriptor for the case + where execve fails. */ + if (use_pidfd) + __close_nocancel_nostatus (args.pidfd); + } } else ec = errno;