Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Feb 2023 15:51:55 -0500
From: Rich Felker <>
Subject: Re: [PATCH] accept4: don't fall back to accept if we got
 unknown flags

On Tue, Feb 28, 2023 at 11:15:06PM +0300, Alexey Izbyshev wrote:
> On 2023-02-28 20:25, Rich Felker wrote:
> >On Tue, Feb 28, 2023 at 12:21:01PM -0500, Rich Felker wrote:
> >>On Tue, Feb 28, 2023 at 02:42:39AM +0300, Alexey Izbyshev wrote:
> >>> On 2023-02-28 01:38, Rich Felker wrote:
> >>> >On Mon, Feb 27, 2023 at 10:46:54PM +0300, Alexey Izbyshev wrote:
> >>> >>accept4 emulation via accept ignores unknown flags, so it can
> >>> >>spuriously
> >>> >>succeed instead of failing (or succeed without doing the action
> >>> >>implied
> >>> >>by an unknown flag if it's added in a future kernel). Worse, unknown
> >>> >>flags trigger the fallback code even on modern kernels if the real
> >>> >>accept4 syscall returns EINVAL, because this is indistinguishable from
> >>> >>socketcall returning EINVAL due to lack of accept4 support. Fix
> >>> >>this by
> >>> >>always propagating the syscall attempt failure if unknown flags are
> >>> >>present.
> >>> >>
> >>> >>The behavior is still not ideal on old kernels lacking accept4
> >>> >>on arches
> >>> >>with socketcall, where failing with ENOSYS instead of EINVAL
> >>> >>returned by
> >>> >>socketcall would be preferable, but at least modern kernels are now
> >>> >>fine.
> >>> >
> >>> >Can you clarify what you mean about ENOSYS vs EINVAL here? I'm not
> >>> >following.
> >>> >
> >>> Sorry for confusion, I meant the following. On arches with
> >>> socketcall, if a program running on an old kernel that doesn't
> >>> support accept4 in any form calls accept4 with unknown flags, musl's
> >>> accept4 will fail with EINVAL after this patch. But the reason of
> >>> failure remains unclear to the programmer: is it because some flag
> >>> is not supported or because accept4 is not supported at all? So I
> >>> thought it'd be better to fail with ENOSYS in this case instead,
> >>> although I don't know a good way to do that: the EINVAL ambiguity
> >>> exists at socketcall level too, so testing whether the kernel's
> >>> socketcall supports __SC_accept4 or not would probably involve
> >>> calling it with known-good arguments on a separately created socket,
> >>> and I certainly don't propose to do that.
> >>>
> >>> On the other hand, it could be argued that a function that can
> >>> emulate a certain baseline feature set of another function shouldn't
> >>> fail with ENOSYS at all because the real function would never do
> >>> that. The two cleanest options for possibly-not-supported functions
> >>> seem to be either always failing with ENOSYS if the kernel doesn't
> >>> support the syscall or failing with a reasonable error if the caller
> >>> requests something unsupported by the emulation. And I think accept4
> >>> satisfies the latter with this patch.
> >>>
> >>> As an aside, note that dup3 and pipe2 currently also ignore unknown
> >>> flags on old kernels, and for pipe2 there is a valid flag (O_DIRECT)
> >>> that could be silently ignored because of that. But there is no
> >>> issue on newer kernels supporting the syscalls, unlike for accept4.
> >>
> >>The dup3 situation is even worse than you thought. The dup3 syscall is
> >>only attempted if O_CLOEXEC is set in flags. If not, the rest of flags
> >>are ignored and the dup2 syscall is made. I'll make a fix.
> >
> Indeed, I missed that, thanks.
> >These should fix both..
> The patches look good to me.
> But looking at dup3 more closely, I've noticed another bug: fcntl is
> called even if SYS_dup2 fails. So on kernels where SYS_dup3 is
> unavailable, dup3(-1, fd, O_CLOEXEC) will wrongly try to set
> FD_CLOEXEC on fd.

Thanks for catching that. I'll fix it too.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.