Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 2 Aug 2017 18:02:49 +0200
From: Denys Vlasenko <vda.linux@...glemail.com>
To: musl <musl@...ts.openwall.com>
Subject: Re: shell needs to change fd in a FILE

On Wed, Aug 2, 2017 at 5:38 PM, Rich Felker <dalias@...c.org> wrote:
> On Wed, Aug 02, 2017 at 02:08:09PM +0200, Denys Vlasenko wrote:
>> On Mon, Jul 31, 2017 at 10:18 PM, Rich Felker <dalias@...c.org> wrote:
>> > On Mon, Jul 31, 2017 at 05:05:24PM +0200, Denys Vlasenko wrote:
> I see. So if you have builtin commands executed with fd 2 redirected,
> and they potentially output errors, it would go to the wrong place. If
> all the messages are via explicit writes to stderr, this is probably
> not too bad to work around just by using a different FILE that can
> vary, but if things like perror also get used it could be a lot more
> of a pain.

That's exactly the thing. So far I'm not passing a FILE pointer down
a gazillion code paths which can possibly emit error messages.
They also do not pass FILEs down into "print error message [and die]"
utility functions.

>> > I don't see how this is a problem unless you can read scripts from a
>> > non-seekable stream, which sounds really dubious.
>>
>> I just tried: "bash /dev/tty" and "echo uname | bash /dev/fd/0"
>> works. I prefer to not needlessly prevent my shell from being able
>> to do that too.
>
> Is this just a theoretical concern or something you've encountered in
> the wild?

So far it's theoretical. Just aiming to be no worse than "competition" :)


> FWIW I noticed a while back (and got bit badly) by hush's
> failure to safely remap the fd it's reading the script from, so I
> think replacing "fails badly as soon as the script exceeds stdio
> buffer size" with "just fails when using non-seekable script input"
> would be a significant improvement already.

Those are/were bugs and I'm fixing them as I find them.
Fixed a bunch of more obscure ones recently. IOW: I replace the situation
with "works correctly regardless of script size and and redirections"
situation.

And currently I have one more bug in my sight:

    . ./SCRIPT   # opened to fd 10
    # in SCRIPT:
    exec 10>FILE

To fix this, I will have to ditch usage of FILE for script reading.
Or find a way to explain to FILE that its fd has been moved.

>> One easy solution is to ditch FILE and use my own buffering.
>> ash/dash already did exactly that many years ago, for this very reason.
>>
>> This would mean that libc has some 25 kb of really good, well-debugged
>> I/O buffering code which I am not using because it misses
>> just one (!) trivial operation in the API, fp->fd = new_fd.
>
> Poking through an abstraction to change internal state in a way that
> nobody has specified or thought out is trivial to implement, but not
> necessarily trivial to deal with the consequences of.
>
> Let me give a subtle example from somewhere different:
> malloc_usable_size():
>
> You'd expect this function to be pretty simple and non-costly to
> support. The implementation has to know how much memory it allocated
> for a block in order to free it, so you'd think malloc_usable_size
> would not impose any implementation burden to store additional
> information about the allocation. Unfortunately, that's not correct.
> Suppose you call malloc(19) and, due to alignment issues, the
> implementation actually has to have the allocation end at 24 bytes
> rather than just 19. Now, if malloc_usable_size returns 24, the caller
> can assume it got lucky and can use indices 19-23 before having to
> realloc to get more, right? Nope.
>
> Unfortunately, the actual allocation size of 19 may be visible to the
> compiler (_FORTIFY_SOURCE/__builtin_object_size, and/or
> UBSan/ASan/etc.) at the point indices 19-23 are accessed, resulting in
> a trap for the (UB) accesses after malloc_usable_size told the caller
> it was okay to access them! So now we're stuck with a nonstandard
> hackish function we should never have implemented, malloc_usable_size,
> and need to find a place for the implementation to store the actual
> nominal size (19) in addition to the aligned size (24) just so that
> malloc_usable_size can return the right number to the caller to keep
> it from invoking UB. This will either require wasted space (extra
> field) or wasted time in standard codepaths (storing a non-aligned
> size and rounding it up every time malloc needs to access it
> internally). Bleh.

Or require people to "#ifndef _FORTIFY_SOURCE" around their use of
malloc_usable_size(). IOW: if they build a debug version of their code,
it's their problem when some iffy optimizations cause _them_ pain.
It's not something particularly new. IIRC some optimized strlen()
code had the problem of sometimes reading past the string end,
but never past the page, and never depending on that data,
so it was fine - but did cause instrumentation to flag it as
"use of uninitialized data".


> I don't necessarily see something like this happening with set_fileno,
> but the whole point is that we didn't see it happening with
> malloc_usable_size either, until it did.
>
>> This was the thought which prompted me to write the email:
>> by seeing how much this would help, you might agree.
>
> I do see how helpful it would be, but there are also very good reasons
> I'm cautious (and the musl community tends to be very skeptical) of
> this sort of thing, which I hope you can understand too.

I understand that pushback is a good thing: you need me to show you
why adding new $FEATURE is bringing more benefits that costs.

I propose to reduce costs for you by allowing set_fd(fp, fd)
to fail. Also, it should be explicitly defined
that any buffered input or output data is not discarded
or sent to previous fd during/after the call - tt only
changes internal fd, if possible No flushing, no seeking.
Essentially, user has to take care and fflush(fp)
before he starts messing with fds, or buffered data
may end up up written to a wrong fd.

> Do you know what portion of the ~25k of buffered IO code (stdio) from
> musl you're actually using for parsing scripts? If it's mostly just
> getc and ungetc

Most of the printf formatting machinery is used because of messages.
IOW: I suspect large part of stdio is used. It's a shame
to link in all that code and _then_ also add a reimplementation
of part of it.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.