Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Aug 2017 11:38:13 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: shell needs to change fd in a FILE

On Wed, Aug 02, 2017 at 02:08:09PM +0200, Denys Vlasenko wrote:
> On Mon, Jul 31, 2017 at 10:18 PM, Rich Felker <dalias@...c.org> wrote:
> > On Mon, Jul 31, 2017 at 05:05:24PM +0200, Denys Vlasenko wrote:
> >> Hi,
> >>
> >> I'm using ordinary FILE i/o for reading scripts in hush shell,
> >> instead of rolling my own implementation, so that I can reuse
> >> buffering code in libc, through the use of fgetc().
> >>
> >> This works for almost all cases, except this one: if in script
> >> I have a redirect which says shell wants to open a fd which happens
> >> to be equal to the fd (say, 10) shell already used for script FILE:
> >>
> >>     exec 10>FILE
> >>
> >> What other shells do in this situation is they simply
> >> dup and close script fd [in real code, they use fcntl(F_DUPFD)
> >> instead of dup() since they want to avoid getting low fds],
> >> so that fd is "moved" and no longer collides with the redirect.
> >
> > The right solution to this problem is not to actually reassign fds in
> > the shell process at all, but instead reassign them in the child
> > process to match their nominal (per the redirection operator) value.
> > This is easy with fork+exec, hard or impossible to do safely with
> > vfork+exec, and easy with posix_spawn.
> >
> > For commands which are internal (no child process), then, the nominal
> > fd number is not the actual fd number but it doesn't matter; the
> > internal logic can just remap it.
> 
> "Just remap it" is actually quite a PITA in this case.

That's why I said:

> > Not saying you have to do it this way, but it's the clean (and the

It's just how I would go about implementing a shell, and the only way
I'm aware of that's possible in a portable and hacks-free way.

> This means "can't use standard functions emitting messages to stderr,
> because my stderr in builtins may be not on fd 2 but somewhere else".
> Would you enjoy this turn of events? It's not like shell logic is
> such an easy piece of code before you add this fd remapping thing.

I see. So if you have builtin commands executed with fd 2 redirected,
and they potentially output errors, it would go to the wrong place. If
all the messages are via explicit writes to stderr, this is probably
not too bad to work around just by using a different FILE that can
vary, but if things like perror also get used it could be a lot more
of a pain. Initial adaptation might be fairly easy but avoiding
regressions from inadvertent reintroduction of stderr access is not so
easy. If you (or someone else) wanted to go this way, GCC's #pragma
poison would probably be the tool for avoiding regressions -- poison
all functions that implicitly use stderr.

> > Not saying you have to do it this way, but it's the clean (and the
> > only strictly-conforming, since POSIX allows implementation-internal
> > fd use that you *can't* safely move).
> 
> For the functions used in shell, there is no reason for libc to use
> hidden fds. Shells don't use openlog() or DNS resolution functions.
> So this is only a theoretical thing to worry in this case.

I agree this is a more theoretical concern as long as you're happy
with just working on Linux or very similar systems. In general,
though, even things like the working directory could be implemented as
a hidden fd.

> >> I can do this trick, but since I use FILE interface, then
> >> I need to inform libc that it needs to use new fd for this FILE.
> >>
> >> "fileno(fp) = new_fd;" is non-portable and does not work in either
> >> musl or glibc: it's a function, not a macro referencing
> >> (fp)->field_holding_fd.
> >>
> >> "fclose(fp); fp = fdopen(new_fd);" is not good since fp may have
> >> some buffered input, which will be lost by such code.
> >
> > I don't see how this is a problem unless you can read scripts from a
> > non-seekable stream, which sounds really dubious.
> 
> I just tried: "bash /dev/tty" and "echo uname | bash /dev/fd/0"
> works. I prefer to not needlessly prevent my shell from being able
> to do that too.

Is this just a theoretical concern or something you've encountered in
the wild? FWIW I noticed a while back (and got bit badly) by hush's
failure to safely remap the fd it's reading the script from, so I
think replacing "fails badly as soon as the script exceeds stdio
buffer size" with "just fails when using non-seekable script input"
would be a significant improvement already.

BTW one possible fix here would be checking whether the script input
is seekable, and if it's not, disabling buffering. It would make
execution of scripts from non-seekable input a lot more costly, but
would always work.

> >> How about adding a "set_fileno(fp, fd)" extension to musl,
> >> with some easy define to probe for to conditionally use it?
> >
> > I really don't want to get into the business of doing
> > application-specific stdio extensions on request. We did a couple for
> > gnulib, but that's because it's already crept into everything and the
> > alternative was them doing awful hacks trying to poke at stdio
> > internals. I think we can come up with a better solution here.
> 
> One easy solution is to ditch FILE and use my own buffering.
> ash/dash already did exactly that many years ago, for this very reason.
> 
> This would mean that libc has some 25 kb of really good, well-debugged
> I/O buffering code which I am not using because it misses
> just one (!) trivial operation in the API, fp->fd = new_fd.

Poking through an abstraction to change internal state in a way that
nobody has specified or thought out is trivial to implement, but not
necessarily trivial to deal with the consequences of.

Let me give a subtle example from somewhere different:
malloc_usable_size():

You'd expect this function to be pretty simple and non-costly to
support. The implementation has to know how much memory it allocated
for a block in order to free it, so you'd think malloc_usable_size
would not impose any implementation burden to store additional
information about the allocation. Unfortunately, that's not correct.
Suppose you call malloc(19) and, due to alignment issues, the
implementation actually has to have the allocation end at 24 bytes
rather than just 19. Now, if malloc_usable_size returns 24, the caller
can assume it got lucky and can use indices 19-23 before having to
realloc to get more, right? Nope.

Unfortunately, the actual allocation size of 19 may be visible to the
compiler (_FORTIFY_SOURCE/__builtin_object_size, and/or
UBSan/ASan/etc.) at the point indices 19-23 are accessed, resulting in
a trap for the (UB) accesses after malloc_usable_size told the caller
it was okay to access them! So now we're stuck with a nonstandard
hackish function we should never have implemented, malloc_usable_size,
and need to find a place for the implementation to store the actual
nominal size (19) in addition to the aligned size (24) just so that
malloc_usable_size can return the right number to the caller to keep
it from invoking UB. This will either require wasted space (extra
field) or wasted time in standard codepaths (storing a non-aligned
size and rounding it up every time malloc needs to access it
internally). Bleh.

I don't necessarily see something like this happening with set_fileno,
but the whole point is that we didn't see it happening with
malloc_usable_size either, until it did.

> This was the thought which prompted me to write the email:
> by seeing how much this would help, you might agree.

I do see how helpful it would be, but there are also very good reasons
I'm cautious (and the musl community tends to be very skeptical) of
this sort of thing, which I hope you can understand too.

Do you know what portion of the ~25k of buffered IO code (stdio) from
musl you're actually using for parsing scripts? If it's mostly just
getc and ungetc (or rather, if it doesn't involve complex operations
like scanf) I think just using a separate light buffered-read
framework makes the most sense. Yes there's a lot of value in musl's
"really good, well-debugged" stdio code, but most of that value is in
handling the full range of stdio behavior including subtle corner
cases correctly, and isn't something you really get a lot of advantage
from when you're just doing buffered sequential reading.

Rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.