Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJgzZorYF7vLJp13YWWDih9nVPt9dt9=hHZTmp6ewwtwXzWprw@mail.gmail.com>
Date: Tue, 23 Feb 2021 10:15:06 -0800
From: enh <enh@...gle.com>
To: libc-coord@...ts.openwall.com
Cc: Rich Felker <dalias@...c.org>
Subject: Re: Lifetime of object returned by readdir

On Tue, Feb 23, 2021 at 10:03 AM Florian Weimer <fweimer@...hat.com> wrote:

> * Rich Felker:
>
> > However, as part of resolving an application UAF bug where the dirent
> > was used after closedir, I realized that the specification fails to
> > mention closedir of the directory stream as a condition that can end
> > the lifetime of the dirent object. This seems like an omission, and
> > like it does not admit any implementation without severe memory leaks
> > -- the last dirent returned for each stream would have to be preserved
> > indefinitely unless the thread that called readdir exited.
> >
> > I'd like to push to have this fixed (adding closedir as a condition
> > that ends the lifetime) as part of making readdir thread-safe, but
> > before opening a new Austin Group issue or following up on the
> > existing one there I'd like to make sure we're on the same page.
>
> Sounds reasonable to me.  rewinddir and seekdir should perhaps
>

POSIX already explicitly says that seekdir() affects the _next_ readdir().

the "[rewinddir()] shall also cause the directory stream to refer to the
current state of the corresponding directory, as a call to opendir() would
have done" on the rewinddir() page is interesting but i'm interpreting that
(and i believe existing implementations interpret that) as applying to the
_next_ readdir() call.


> invalidate readdir-returned pointers, too.  It might be possible to
> delay their operation to their next readdir call, but it might
> needlessly complicate the implementation.


does anyone have an implementation where rewinddir()/seekdir() actually
invalidate the previous readdir()? seems unlikely?


> And for completeness, also
> mention any access to the underlying file descriptor.
>

good point.


> Thanks,
> Florian
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.