Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4f0953e3c103fac9cf01059781742644@ispras.ru>
Date: Thu, 29 Feb 2024 17:03:51 +0300
From: Alexey Izbyshev <izbyshev@...ras.ru>
To: musl@...ts.openwall.com
Subject: Re: Potentially infinite loop in posix_spawn'ed child

On 2021-05-25 17:32, Rich Felker wrote:
> On Tue, May 25, 2021 at 09:30:18AM +0300, Alexey Izbyshev wrote:
>> On 2021-05-24 23:33, Rich Felker wrote:
>> >On Mon, May 24, 2021 at 01:09:21PM +0300, Alexey Izbyshev wrote:
>> >>Hi,
>> >>
>> >>I've noticed the following loop at https://git.musl-libc.org/cgit/musl/tree/src/process/posix_spawn.c#n159:
>> >>
>> >>    exec(args->path, args->argv, args->envp);
>> >>    ret = -errno;
>> >>
>> >>fail:
>> >>    /* Since sizeof errno < PIPE_BUF, the write is atomic. */
>> >>    ret = -ret;
>> >>    if (ret) while (__syscall(SYS_write, p, &ret, sizeof ret) < 0);
>> >>    _exit(127);
>> >>
>> >>Is there any reason that write is done in a loop? If SIGPIPE is
>> >>blocked or ignored and the parent dies before this point, the child
>> >>will spin in it forever.
>> >
>> >I suppose the special case of EPIPE should be considered here as no
>> >need to inform the parent. Are there any other errors that should be
>> >treated specially?
>> >
>> I'm not aware of any other errors that would need treatment. Is this
>> loop intended to be a detection/debugging aid in case of an
>> unexpected error?
> 
> It's not a debugging aid so much as a guarantee against forward
> progress doing the wrong thing (wrongly reporting success to the
> parent when the execve failed). I don't think there are any errors
> that should be able to happen here aside from EPIPE though, short of
> munging with syscall semantics using seccomp or something which is
> outside the scope of what could be expected to work correctly.
> 
I've never sent a patch for this, doing it now.

Thanks,
Alexey

View attachment "0001-posix_spawn-fix-child-spinning-on-write-to-a-broken-.patch" of type "text/x-diff" (1426 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.