From patchwork Mon May 6 17:27:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1932126 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=riTnduaZ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VY7fy5b3zz1xnT for ; Tue, 7 May 2024 03:28:42 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C85B73858C31 for ; Mon, 6 May 2024 17:28:40 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by sourceware.org (Postfix) with ESMTPS id 312063858D1E for ; Mon, 6 May 2024 17:28:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 312063858D1E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 312063858D1E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::62a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1715016505; cv=none; b=bz3ttVnaa+uo0CLcx8oKLCIDe5uDKrPrK0S3OoUkrKDn8rcpIhuovcF4dBXCA3SdZS9TrWfvBpmEq3lgeaO1LODMZobPbku8xbegM5xAF0PP3YnmPYve0vqsmeSRWdcgyf9Qnk5z3fHRF1/pgM2FKZdh++drvx4yPUCKsKXAvlQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1715016505; c=relaxed/simple; bh=K2KLXgjrZjauq7TZyNP61Wy3UQL5DSHFJYa7OwOg5f8=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=ocGDyS9k5QfdnnmV5Es5yfp0daQiT1ATPSKIHGav2Vf2oCFXmZC/fY8N3gr+BXCW0qiA2JMcOBgPbXUMisxiua26h52Dt7Isozct4r8DgGgrc1pFDcmzYTYK+Gux8Jnbw4VudC9Q68jfEWzOu9GK/9Hoy894uiK03U3FUDS7w0k= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1ec4dd8525cso16328585ad.3 for ; Mon, 06 May 2024 10:28:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1715016500; x=1715621300; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0lC+0aCViI06SJb3eqNLf0i8+xGg5JXchxA8s4bp7a0=; b=riTnduaZYA1ePU3JNuugQDVdHS5aq3Bv+R69UJ+ygmuYy4nZT/AOQpm6PPp4hDlHjD Ph2PF6ZgzsPgcnAKBPKj4FsGXzqwnEuyGLKMn+Y+R/cTG/+IELp6YmJlgvptPd4SEPS5 3p6ZV7kZ+o7MYqayZlkcyOHDVHN88cJLcPm34ISzSdmBC7ItLUg369/sHs00nuwF5f9S kRMvUnnWkzFvZPuZEQATu+d1w5oFEXS0XnGLZIe43Kk88gHrscfQ+47r04zOmgLgkk8t yn2vCDxeXF2OimB+aOPoDJS+eqVkMm6JVxESXkHsyTZkUlhmtHnaGxmks62nd64l/4bT MPnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715016500; x=1715621300; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0lC+0aCViI06SJb3eqNLf0i8+xGg5JXchxA8s4bp7a0=; b=aNvqJB5z3X9yaaJvRYNbzCpcCka3UfRhnTQ98nb46EjKm3VVgxM/cklF1X80V++nd7 aWgWvMRtYV/VEf6yGzBs4LHt2LMAQ5py9/1Vai4RWAC/tR6hzVu0qtTp6NZ0jLGnkOCX Oy1Tmvs7cdJ6OieHyzu8ktP2szkEbJLynE7N/gRIDGbASgoXW2d/5q0zmcywfsYLifbu hK7LMoXyi9vKbcmJw7vwPxyXwmB8PNS03maM5PTtnKlRUxFYjgB7j+GIwFjCfBWJ4uWo U1FUTUQBPfMpyP0aTCf3qjIeFBfllZe0muw77tpBpsUGQNwEBQV11dO5e/KLkAZ0iUEL IQSw== X-Gm-Message-State: AOJu0YyzF9ytpejULtNn+gcnf3muEU5oYcCo+QB3We7QDlJCT40LwCaj ceRjLoVIGSGy9pzh4ALiYKRuNG6pm6E0HuB4Y5xUu0oah8/o6YGo01i0NyayhBBGzkz9HCEnpio S X-Google-Smtp-Source: AGHT+IG28+U4oJ4KQqn3LLpcuyuyfg+E3X8+/8UTFX+IMEb7UU2CE29UwHC6y23yjN9ul8c6VYRbuA== X-Received: by 2002:a17:90a:dd98:b0:2b2:b02d:3ffd with SMTP id l24-20020a17090add9800b002b2b02d3ffdmr9015616pjv.15.1715016500201; Mon, 06 May 2024 10:28:20 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c2:6e56:fc45:bb45:8b35:9b81]) by smtp.gmail.com with ESMTPSA id f11-20020a17090aec8b00b002b436a81fe8sm6745461pjy.39.2024.05.06.10.28.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 May 2024 10:28:19 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Peter Cawley Subject: [PATCH v2] posix: Fix pidfd_spawn/pidfd_spawnp leak if execve fails (BZ 31695) Date: Mon, 6 May 2024 14:27:49 -0300 Message-ID: <20240506172816.1661462-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org If the pidfd_spawn / pidfd_spawnp helper process succeeds, but evecve fails for some reason (either with an invalid/non-existent, memory allocation, etc.) the resulting pidfd is never closed, nor returned to caller (so it can call close). Since the process creation failed, it should be up to posix_spawn to also, close the file descriptor in this case (similar to what it does to reap the process). Checked on x86_64-linux-gnu. --- Changes from v1: - Use __close_nocancel_nostatus instead of __close. --- posix/tst-spawn2.c | 80 +++++++++++++++++++------------- sysdeps/unix/sysv/linux/spawni.c | 20 +++++--- 2 files changed, 61 insertions(+), 39 deletions(-) diff --git a/posix/tst-spawn2.c b/posix/tst-spawn2.c index bb507204a2..b2bad3f1f7 100644 --- a/posix/tst-spawn2.c +++ b/posix/tst-spawn2.c @@ -26,6 +26,7 @@ #include #include +#include #include int @@ -38,38 +39,53 @@ do_test (void) char * const args[] = { 0 }; PID_T_TYPE pid = -1; - int ret = POSIX_SPAWN (&pid, program, 0, 0, args, environ); - if (ret != ENOENT) - { - errno = ret; - FAIL_EXIT1 ("posix_spawn: %m"); - } - - /* POSIX states the value returned on pid variable in case of an error - is not specified. GLIBC will update the value iff the child - execution is successful. */ - if (pid != -1) - FAIL_EXIT1 ("posix_spawn returned pid != -1 (%i)", (int) pid); - - /* Check if no child is actually created. */ - TEST_COMPARE (WAITID (P_ALL, 0, NULL, WEXITED), -1); - TEST_COMPARE (errno, ECHILD); - - /* Same as before, but with posix_spawnp. */ - char *args2[] = { (char*) program, 0 }; - - ret = POSIX_SPAWNP (&pid, args2[0], 0, 0, args2, environ); - if (ret != ENOENT) - { - errno = ret; - FAIL_EXIT1 ("posix_spawnp: %m"); - } - - if (pid != -1) - FAIL_EXIT1 ("posix_spawnp returned pid != -1 (%i)", (int) pid); - - TEST_COMPARE (WAITID (P_ALL, 0, NULL, WEXITED), -1); - TEST_COMPARE (errno, ECHILD); + { + struct support_descriptors *descrs = support_descriptors_list (); + + int ret = POSIX_SPAWN (&pid, program, 0, 0, args, environ); + if (ret != ENOENT) + { + errno = ret; + FAIL_EXIT1 ("posix_spawn: %m"); + } + + /* POSIX states the value returned on pid variable in case of an error + is not specified. GLIBC will update the value iff the child + execution is successful. */ + if (pid != -1) + FAIL_EXIT1 ("posix_spawn returned pid != -1 (%i)", (int) pid); + + /* Check if no child is actually created. */ + TEST_COMPARE (WAITID (P_ALL, 0, NULL, WEXITED), -1); + TEST_COMPARE (errno, ECHILD); + + /* Also check if there is no leak descriptors. */ + support_descriptors_check (descrs); + support_descriptors_free (descrs); + } :+ + { + /* Same as before, but with posix_spawnp. */ + char *args2[] = { (char*) program, 0 }; + + struct support_descriptors *descrs = support_descriptors_list (); + + int ret = POSIX_SPAWNP (&pid, args2[0], 0, 0, args2, environ); + if (ret != ENOENT) + { + errno = ret; + FAIL_EXIT1 ("posix_spawnp: %m"); + } + + if (pid != -1) + FAIL_EXIT1 ("posix_spawnp returned pid != -1 (%i)", (int) pid); + + TEST_COMPARE (WAITID (P_ALL, 0, NULL, WEXITED), -1); + TEST_COMPARE (errno, ECHILD); + + support_descriptors_check (descrs); + support_descriptors_free (descrs); + } return 0; } diff --git a/sysdeps/unix/sysv/linux/spawni.c b/sysdeps/unix/sysv/linux/spawni.c index e8ed2babb9..1556dd17e0 100644 --- a/sysdeps/unix/sysv/linux/spawni.c +++ b/sysdeps/unix/sysv/linux/spawni.c @@ -449,13 +449,19 @@ __spawnix (int *pid, const char *file, caller to actually collect it. */ ec = args.err; if (ec > 0) - /* There still an unlikely case where the child is cancelled after - setting args.err, due to a positive error value. Also there is - possible pid reuse race (where the kernel allocated the same pid - to an unrelated process). Unfortunately due synchronization - issues where the kernel might not have the process collected - the waitpid below can not use WNOHANG. */ - __waitpid (new_pid, NULL, 0); + { + /* There still an unlikely case where the child is cancelled after + setting args.err, due to a positive error value. Also there is + possible pid reuse race (where the kernel allocated the same pid + to an unrelated process). Unfortunately due synchronization + issues where the kernel might not have the process collected + the waitpid below can not use WNOHANG. */ + __waitpid (new_pid, NULL, 0); + /* For pidfd we need to also close the file descriptor for the case + where execve fails. */ + if (use_pidfd) + __close_nocancel_nostatus (args.pidfd); + } } else ec = errno;