prevent dup2 action for posix_spawn internal pipe fd

as reported by Tavian Barnes, a dup2 file action for the internal pipe fd used by posix_spawn could cause it to remain open after execve and allow the child to write an artificial error into it, confusing the parent. POSIX allows internal use of file descriptors by the implementation, with undefined behavior for poking at them, so this is not a conformance problem, but it seems preferable to diagnose and prevent the error when we can do so easily. catch attempts to apply a dup2 action to the internal pipe fd and emulate EBADF for it instead.
author: Rich Felker <dalias@aerifal.cx> 2019-07-08 23:47:15 -0400
committer: Rich Felker <dalias@aerifal.cx> 2019-07-08 23:47:15 -0400
commit: 759900403d33baba313ae96d410d3a6807a694cc (patch)
tree: d68bfe0e6f5dc9a501c84b15c0ff9aee7c697ffb /src/process
parent: 9b83182069cc3b213277104a992e195982060146 (diff)
download: musl-759900403d33baba313ae96d410d3a6807a694cc.tar.gz
musl-759900403d33baba313ae96d410d3a6807a694cc.tar.xz
musl-759900403d33baba313ae96d410d3a6807a694cc.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/process/posix_spawn.c b/src/process/posix_spawn.c
index 5aaf829d..306faa05 100644
--- a/src/process/posix_spawn.c
+++ b/src/process/posix_spawn.c
@@ -101,6 +101,10 @@ static int child(void *args_vp)
 				break;
 			case FDOP_DUP2:
 				fd = op->srcfd;
+				if (fd == p) {
+					ret = -EBADF;
+					goto fail;
+				}
 				if (fd != op->fd) {
 					if ((ret=__sys_dup2(fd, op->fd))<0)
 						goto fail;
author	Rich Felker <dalias@aerifal.cx>	2019-07-08 23:47:15 -0400
committer	Rich Felker <dalias@aerifal.cx>	2019-07-08 23:47:15 -0400
commit	759900403d33baba313ae96d410d3a6807a694cc (patch)
tree	d68bfe0e6f5dc9a501c84b15c0ff9aee7c697ffb /src/process
parent	9b83182069cc3b213277104a992e195982060146 (diff)
download	musl-759900403d33baba313ae96d410d3a6807a694cc.tar.gz musl-759900403d33baba313ae96d410d3a6807a694cc.tar.xz musl-759900403d33baba313ae96d410d3a6807a694cc.zip