diff options
| author | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2024-05-06 13:20:56 -0300 |
|---|---|---|
| committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2024-06-25 12:11:48 -0300 |
| commit | c90cfce849d010474e8cccf3e5bff49a2c8b141f (patch) | |
| tree | c9b85b8be86d28f7e2ddc49d9c7e9806a131e0d1 /sysdeps/unix/sysv/linux | |
| parent | 17a293c5fab878a0b59e31047f49833f156bdeef (diff) | |
| download | glibc-c90cfce849d010474e8cccf3e5bff49a2c8b141f.tar.gz glibc-c90cfce849d010474e8cccf3e5bff49a2c8b141f.tar.xz glibc-c90cfce849d010474e8cccf3e5bff49a2c8b141f.zip | |
posix: Fix pidfd_spawn/pidfd_spawnp leak if execve fails (BZ 31695)
If the pidfd_spawn/pidfd_spawnp helper process succeeds, but evecve fails for some reason (either with an invalid/non-existent, memory allocation, etc.) the resulting pidfd is never closed, nor returned to caller (so it can call close). Since the process creation failed, it should be up to posix_spawn to also, close the file descriptor in this case (similar to what it does to reap the process). This patch also changes the waitpid with waitid (P_PIDFD) for pidfd case, to avoid a possible pid re-use. Checked on x86_64-linux-gnu. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Diffstat (limited to 'sysdeps/unix/sysv/linux')
| -rw-r--r-- | sysdeps/unix/sysv/linux/spawni.c | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/sysdeps/unix/sysv/linux/spawni.c b/sysdeps/unix/sysv/linux/spawni.c index e8ed2babb9..f57e92815e 100644 --- a/sysdeps/unix/sysv/linux/spawni.c +++ b/sysdeps/unix/sysv/linux/spawni.c @@ -449,13 +449,22 @@ __spawnix (int *pid, const char *file, caller to actually collect it. */ ec = args.err; if (ec > 0) - /* There still an unlikely case where the child is cancelled after - setting args.err, due to a positive error value. Also there is - possible pid reuse race (where the kernel allocated the same pid - to an unrelated process). Unfortunately due synchronization - issues where the kernel might not have the process collected - the waitpid below can not use WNOHANG. */ - __waitpid (new_pid, NULL, 0); + { + /* There still an unlikely case where the child is cancelled after + setting args.err, due to a positive error value. Also there is + possible pid reuse race (where the kernel allocated the same pid + to an unrelated process). Unfortunately due synchronization + issues where the kernel might not have the process collected + the waitpid below can not use WNOHANG. */ + __waitid (use_pidfd ? P_PIDFD : P_PID, + use_pidfd ? args.pidfd : new_pid, + NULL, + WEXITED); + /* For pidfd we need to also close the file descriptor for the case + where execve fails. */ + if (use_pidfd) + __close_nocancel_nostatus (args.pidfd); + } } else ec = errno; |