[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 Jul 2019 11:39:49 -0400
From: Tavian Barnes <tavianator@...ianator.com>
To: musl@...ts.openwall.com
Subject: posix_spawn() can expose the error pipe to the spawned process
posix_spawn[p]() is implemented with a pipe that sends any error codes
encountered back to the parent process. It attempts to move the pipe
out of the way with dup() whenever that fd is used by the file_actions
as an output, but not as an input. So something like this:
$ cat spawn_pipe.c
#include <spawn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
extern char **environ;
int main() {
posix_spawn_file_actions_t fa;
posix_spawn_file_actions_init(&fa);
posix_spawn_file_actions_adddup2(&fa, 4, 1);
char *argv[] = { "printf", "\\5\\0\\0\\0", NULL };
pid_t pid;
int ret = posix_spawnp(&pid, "printf", &fa, NULL, argv, environ);
fprintf(stderr, "posix_spawnp(): %s\n", strerror(ret));
return ret;
}
$ musl-gcc -Wall spawn_pipe.c -o spawn_pipe && ./spawn_pipe
posix_spawnp(): I/O error
ends up writing to that pipe and causing posix_spawn() to report
arbitrary errors. Presumably it should fail before exec()ing with
EBADF instead.
--
Tavian Barnes
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
