Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 15 Aug 2022 14:57:18 -0400
From: Rich Felker <dalias@...c.org>
To: Érico Nogueira <ericonr@...root.org>
Cc: musl@...ts.openwall.com
Subject: Re: [PATCH] remove extraneous syscall from fopen(3)

On Mon, Aug 15, 2022 at 03:31:30PM -0300, Érico Nogueira wrote:
> On Mon Aug 15, 2022 at 3:16 PM -03, Rich Felker wrote:
> > On Mon, Aug 15, 2022 at 02:58:40PM -0300, Érico Nogueira wrote:
> > > On Mon Aug 15, 2022 at 2:54 PM -03, Rich Felker wrote:
> > > > On Mon, Aug 15, 2022 at 02:50:21PM -0300, Érico Nogueira wrote:
> > > > > the __fdopen() call afterwards will set the close-on-exec flag with the
> > > > > same syscall if "e" was specified in mode
> > > > > ---
> > > > >  src/stdio/fopen.c | 2 --
> > > > >  1 file changed, 2 deletions(-)
> > > > > 
> > > > > diff --git a/src/stdio/fopen.c b/src/stdio/fopen.c
> > > > > index e1b91e12..22b72edf 100644
> > > > > --- a/src/stdio/fopen.c
> > > > > +++ b/src/stdio/fopen.c
> > > > > @@ -20,8 +20,6 @@ FILE *fopen(const char *restrict filename, const char *restrict mode)
> > > > >  
> > > > >  	fd = sys_open(filename, flags, 0666);
> > > > >  	if (fd < 0) return 0;
> > > > > -	if (flags & O_CLOEXEC)
> > > > > -		__syscall(SYS_fcntl, fd, F_SETFD, FD_CLOEXEC);
> > > > >  
> > > > >  	f = __fdopen(fd, mode);
> > > > >  	if (f) return f;
> > > > > -- 
> > > > > 2.37.2
> > > >
> > > > See commit 7765706c0584ed4a30e0b7a3ada742e490ef02b0
> > > 
> > > If the relevant part of that commit is that the flag is added
> > > immediately after, would moving the SYS_fcntl call in __fdopen to the
> > > top of the functon be acceptable?
> >
> > Oh, I missed that it also happens in __fdopen from the 'e' being
> > present, and misunderstood your patch as just removing the fallback
> > entirely.
> >
> > No, it's not acceptable to move the fcntl in __fdopen above the malloc
> > because it would make fdopen modify the fd status on failure. I guess
> > it's questionable whether we care "how soon" after the open it happens
> > -- either way this is not a thread-safe fallback precluding fd leak on
> > old/broken kernels. But since malloc may be application-provided,
> > failure to set it before the malloc like we're doing now would be a
> > "worse behavior" in some sense, exposing the incorrect fd state to a
> > non-multithreaded application.
> 
> On some level, unless someone inherited a file descriptor or something
> similar, I'd expect them to have used O_CLOEXEC if they are also using
> "e" in mode. So hopefully this is not as much of a concern.
> 
> And I don't think fdopen setting the close-on-exec flag is behavior
> users can rely on, seeing as glibc doesn't take "e" into account in
> their fdopen implementation.

Then they probably need to fix this, as the POSIX-future 'e' behavior
(see #1526 and earlier stuff too, I think) specifies that presence of
'e' causes fdopen to set the FD_CLOEXEC flag and absence causes fdopen
to leave it alone.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.