summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko2018-07-24 18:01:22 +0200
committerDenys Vlasenko2018-07-24 18:01:22 +0200
commit945e9b05c910d3b946a5d5a396c5a7e075513e6e (patch)
tree9e0dd8e37ca6eded1849791097846ee8e7e32c51
parent63c42afaa43d42def05dfbca1f4e10c7314b1f77 (diff)
downloadbusybox-945e9b05c910d3b946a5d5a396c5a7e075513e6e.zip
busybox-945e9b05c910d3b946a5d5a396c5a7e075513e6e.tar.gz
hush: fix/explain corner cases of redirection colliding with script fd
function old new delta save_fd_on_redirect 200 208 +8 run_pipe 1870 1873 +3 setup_redirects 321 322 +1 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 3/0 up/down: 12/0) Total: 12 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--shell/hush.c61
1 files changed, 49 insertions, 12 deletions
diff --git a/shell/hush.c b/shell/hush.c
index 7a1513c..e3c6e2d 100644
--- a/shell/hush.c
+++ b/shell/hush.c
@@ -7470,16 +7470,54 @@ static int save_fd_on_redirect(int fd, int avoid_fd, struct squirrel **sqp)
return 1; /* "we closed fd" */
}
#endif
+ /* Are we called from setup_redirects(squirrel==NULL)
+ * in redirect in a [v]forked child?
+ */
+ if (sqp == NULL) {
+ /* No need to move script fds.
+ * For NOMMU case, it's actively wrong: we'd change ->fd
+ * fields in memory for the parent, but parent's fds
+ * aren't be moved, it would use wrong fd!
+ * Reproducer: "cmd 3>FILE" in script.
+ * If we would call move_HFILEs_on_redirect(), child would:
+ * fcntl64(3, F_DUPFD_CLOEXEC, 10) = 10
+ * close(3) = 0
+ * and change ->fd to 10 if fd#3 is a script fd. WRONG.
+ */
+ //bb_error_msg("sqp == NULL: [v]forked child");
+ return 0;
+ }
+
/* If this one of script's fds? */
if (move_HFILEs_on_redirect(fd, avoid_fd))
return 1; /* yes. "we closed fd" (actually moved it) */
- /* Are we called from setup_redirects(squirrel==NULL)? Two cases:
- * (1) Redirect in a forked child.
- * (2) "exec 3>FILE".
+ /* Are we called for "exec 3>FILE"? Came through
+ * redirect_and_varexp_helper(squirrel=ERR_PTR) -> setup_redirects(ERR_PTR)
+ * This case used to fail for this script:
+ * exec 3>FILE
+ * echo Ok
+ * ...100000 more lines...
+ * echo Ok
+ * as follows:
+ * read(3, "exec 3>FILE\necho Ok\necho Ok"..., 1024) = 1024
+ * open("FILE", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4
+ * dup2(4, 3) = 3
+ * ^^^^^^^^ oops, we lost fd#3 opened to our script!
+ * close(4) = 0
+ * write(1, "Ok\n", 3) = 3
+ * ... = 3
+ * write(1, "Ok\n", 3) = 3
+ * read(3, 0x94fbc08, 1024) = -1 EBADF (Bad file descriptor)
+ * ^^^^^^^^ oops, wrong fd!!!
+ * With this case separate from sqp == NULL and *after* move_HFILEs,
+ * it now works:
*/
- if (!sqp)
+ if (sqp == ERR_PTR) {
+ /* Don't preserve redirected fds: exec is _meant_ to change these */
+ //bb_error_msg("sqp == ERR_PTR: exec >FILE");
return 0;
+ }
/* Check whether it collides with any open fds (e.g. stdio), save fds as needed */
*sqp = add_squirrel(*sqp, fd, avoid_fd);
@@ -7618,7 +7656,7 @@ static int setup_redirects(struct command *prog, struct squirrel **sqp)
*/
} else {
/* if newfd is a script fd or saved fd, simulate EBADF */
- if (internally_opened_fd(newfd, sqp ? *sqp : NULL)) {
+ if (internally_opened_fd(newfd, sqp && sqp != ERR_PTR ? *sqp : NULL)) {
//errno = EBADF;
//bb_perror_msg_and_die("can't duplicate file descriptor");
newfd = -1; /* same effect as code above */
@@ -8633,8 +8671,8 @@ static int checkjobs_and_fg_shell(struct pipe *fg_pipe)
* subshell: ( list ) [&]
*/
#if !ENABLE_HUSH_MODE_X
-#define redirect_and_varexp_helper(command, squirrel, argv_expanded) \
- redirect_and_varexp_helper(command, squirrel)
+#define redirect_and_varexp_helper(command, sqp, argv_expanded) \
+ redirect_and_varexp_helper(command, sqp)
#endif
static int redirect_and_varexp_helper(
struct command *command,
@@ -8651,10 +8689,6 @@ static int redirect_and_varexp_helper(
/* this takes ownership of new_env[i] elements, and frees new_env: */
set_vars_and_save_old(new_env);
- /* setup_redirects acts on file descriptors, not FILEs.
- * This is perfect for work that comes after exec().
- * Is it really safe for inline use? Experimentally,
- * things seem to work. */
return setup_redirects(command, sqp);
}
static NOINLINE int run_pipe(struct pipe *pi)
@@ -8855,7 +8889,10 @@ static NOINLINE int run_pipe(struct pipe *pi)
*/
enter_var_nest_level();
G.shadowed_vars_pp = &old_vars;
- rcode = redirect_and_varexp_helper(command, /*squirrel:*/ NULL, argv_expanded);
+ rcode = redirect_and_varexp_helper(command,
+ /*squirrel:*/ ERR_PTR,
+ argv_expanded
+ );
G.shadowed_vars_pp = sv_shadowed;
/* rcode=1 can be if redir file can't be opened */