This is the mail archive of the newlib@sourceware.org mailing list for the newlib project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: popen bug, extension

From: Jeff Johnston <jjohnstn at redhat dot com>
To: Eric Blake <ebb9 at byu dot net>
Cc: newlib at sources dot redhat dot com
Date: Tue, 18 Aug 2009 12:17:48 -0400
Subject: Re: popen bug, extension
References: <4A8ACB99.7050508@byu.net>

Hi Eric,

Go ahead and commit. Just fix the typo "wries" in your documentation.

-- Jeff J.

Eric Blake wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

popen has a bug where it leaks fds to subsequent popen child processes if
fcntl is not supported, or if the parent explicitly messes with fcntl
after the fact.  Since it already maintains a list of popen'd fds in the
parent, we can exploit that list to obey POSIX without using FD_CLOEXEC in
the first place (and strace testing on recent BSD, Solaris, and glibc
hints that similar list management is being done in those implementations,
rather than use of FD_CLOEXEC).

Meanwhile, the use of FD_CLOEXEC is still nice if you plan on spawning
non-popen children (and have fcntl support), enough so that glibc supports
popen(cmd,"re") to create a stream with the cloexec bit already set.

And documentation is always nice.

OK to commit?  I have plans for an eventual followup patch to use pipe2 on
platforms that support that, so that a mode of "re" can atomically set the
cloexec bit in the parent (it still requires just as many syscalls, since
the child process then has to undo the cloexec bit on its side of the
pipe.  But using pipe2 would close a security hole where the parent's fd
can be leaked in a multi-threaded process if another thread does a
fork/exec between popen's use of pipe and vfork).  But no point
writing/testing that patch until pipe2 is more widely supported.

2009-08-18 Eric Blake <ebb9@byu.net>

	Improve popen compatibility with glibc.
	* libc/posix/popen.c (popen): The 2006-08-22 change to use
	FD_CLOEXEC disagrees with other implementations; instead, use
	pidlist to work even when fcntl is not available.  Meanwhile,
	support the 'e' modifier to set CLOEXEC, as in glibc.  Drop
	cygwin-specific code, now that cygwin has its own version.
	* libc/posix/Makefile.am (CHEWOUT_FILES): Document popen.
	* libc/posix/posix.tex: New file.

- --
Don't work too hard, make some time for fun as well!

Eric Blake             ebb9@byu.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqKy5kACgkQ84KuGfSFAYCo3wCfXkL+Jatgc/xmfzZLVybJEYVG HGgAnj/LMpVRnLBtzrY4KBgWbLr1rYaB =v7Og -----END PGP SIGNATURE-----

Follow-Ups:
- Re: popen bug, extension
  - From: Eric Blake

References:
- popen bug, extension
  - From: Eric Blake

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]