From: Tavian Barnes <tavianator@tavianator.com>
To: musl@lists.openwall.com
Subject: Re: posix_spawn() can expose the error pipe to the spawned process
Date: Mon, 8 Jul 2019 22:17:29 -0400 [thread overview]
Message-ID: <CABg4E-mTMVfxB8t7zOX+00Gu24pxazxPOdJ691DpaDRa0V-mLA@mail.gmail.com> (raw)
In-Reply-To: <CABg4E-nLr6czVZTidj1jaKeNBxyGk7PiJM8yjZwpTSkajH7D9g@mail.gmail.com>
[Sorry for messing up the threading, I'm not subscribed so I grabbed
this from the archive]
On Mon, 8 Jul 2019 at 13:09:55 -0400, Rich Felker wrote:
> On Mon, Jul 08, 2019 at 11:39:49AM -0400, Tavian Barnes wrote:
> > posix_spawn[p]() is implemented with a pipe that sends any error codes
> > encountered back to the parent process. It attempts to move the pipe
> > out of the way with dup() whenever that fd is used by the file_actions
> > as an output, but not as an input. So something like this:
> >
> > $ cat spawn_pipe.c
> > #include <spawn.h>
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <unistd.h>
> >
> > extern char **environ;
> >
> > int main() {
> > posix_spawn_file_actions_t fa;
> > posix_spawn_file_actions_init(&fa);
> > posix_spawn_file_actions_adddup2(&fa, 4, 1);
> >
> > char *argv[] = { "printf", "\\5\\0\\0\\0", NULL };
> >
> > pid_t pid;
> > int ret = posix_spawnp(&pid, "printf", &fa, NULL, argv, environ);
> > fprintf(stderr, "posix_spawnp(): %s\n", strerror(ret));
> > return ret;
> > }
> > $ musl-gcc -Wall spawn_pipe.c -o spawn_pipe && ./spawn_pipe
> > posix_spawnp(): I/O error
> >
> > ends up writing to that pipe and causing posix_spawn() to report
> > arbitrary errors. Presumably it should fail before exec()ing with
> > EBADF instead.
>
> Thanks! To clarify, for anyone reading, the issue here is that you're
> able to use a dup2 action in the spawn file actions to copy, and
> thereby obtain the ability to send junk to, the pipe file descriptor
> used internally. It's expected that the implementation can use file
> descriptors internally, and that if you use/copy fds you don't own,
> you could end up accessing one of them (this is the rationale for why
> POSIX has no closeall operation). However it seems preferable to avoid
> getting into an internally inconsistent state if this happens, and
> that should be easy to do.
Agreed.
> Does the attached fix look ok to you?
Yep, looks right. I was going to suggest moving the check next to the
if (op->fd == p) check above, but it looks like op->srcfd isn't always
initialized.
> Note that there are still plenty of other ways you can do evil things
> by copying internal fds, e.g. racing with another thread also calling
> posix_spawn to copy its pipe fd, or anywhere else fds are used
> (locale, message catalog, timezone, etc. loading, hosts/dns lookups,
> ...). These are pretty much fundamental issues in using dup2 with a fd
> you don't own.
Yep, agreed. I don't think the current behaviour is a bug or
non-standard-compliant or anything. Just seemed like an easy QoI
improvement.
> Rich
prev parent reply other threads:[~2019-07-09 2:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-08 15:39 Tavian Barnes
2019-07-08 17:09 ` Rich Felker
2019-07-09 2:17 ` Tavian Barnes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABg4E-mTMVfxB8t7zOX+00Gu24pxazxPOdJ691DpaDRa0V-mLA@mail.gmail.com \
--to=tavianator@tavianator.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).