Merge pull request #2643 from matt335672/close_unwanted_fds

Fix leaking file descriptors
This commit is contained in:
matt335672 2023-05-02 11:54:05 +01:00 committed by GitHub
commit 563cfaf009
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 245 additions and 6 deletions

View File

@ -73,12 +73,10 @@ internal_log_file_open(const char *fname)
} }
} }
#ifdef FD_CLOEXEC
if (ret != -1) if (ret != -1)
{ {
fcntl(ret, F_SETFD, FD_CLOEXEC); g_file_set_cloexec(ret, 1);
} }
#endif
return ret; return ret;
} }
@ -1175,3 +1173,27 @@ getFormattedDateTime(char *replybuf, int bufsize)
return replybuf; return replybuf;
} }
/*****************************************************************************/
#ifdef USE_DEVEL_LOGGING
void
log_devel_leaking_fds(const char *exe, int min, int max)
{
struct list *fd_list = g_get_open_fds(min, max);
if (fd_list != NULL)
{
int i;
for (i = 0 ; i < fd_list->count ; ++i)
{
int fd = (int)fd_list->items[i];
if (g_file_get_cloexec(fd) == 0)
{
LOG_DEVEL(LOG_LEVEL_WARNING,
"File descriptor %d is not CLOEXEC when running %s",
fd, exe);
}
}
}
}
#endif // USE_DEVEL_LOGGING

View File

@ -149,6 +149,8 @@ enum logReturns
#define LOG_HEXDUMP(log_level, message, buffer, length) \ #define LOG_HEXDUMP(log_level, message, buffer, length) \
log_hexdump_with_location(__func__, __FILE__, __LINE__, log_level, message, buffer, length) log_hexdump_with_location(__func__, __FILE__, __LINE__, log_level, message, buffer, length)
#define LOG_DEVEL_LEAKING_FDS(exe,min,max) log_devel_leaking_fds(exe,min,max)
#else #else
#define LOG(log_level, args...) log_message(log_level, args) #define LOG(log_level, args...) log_message(log_level, args)
#define LOG_HEXDUMP(log_level, message, buffer, length) \ #define LOG_HEXDUMP(log_level, message, buffer, length) \
@ -160,6 +162,7 @@ enum logReturns
#define LOG_DEVEL(log_level, args...) UNUSED_VAR(LOG_STARTUP_OK) #define LOG_DEVEL(log_level, args...) UNUSED_VAR(LOG_STARTUP_OK)
#define LOG_DEVEL_HEXDUMP(log_level, message, buffer, length) UNUSED_VAR(LOG_STARTUP_OK) #define LOG_DEVEL_HEXDUMP(log_level, message, buffer, length) UNUSED_VAR(LOG_STARTUP_OK)
#define LOG_DEVEL_LEAKING_FDS(exe,min,max)
#endif #endif
/* Flags values for log_start() */ /* Flags values for log_start() */
@ -440,4 +443,22 @@ char *getLogFile(char *replybuf, int bufsize);
* @return * @return
*/ */
char *getFormattedDateTime(char *replybuf, int bufsize); char *getFormattedDateTime(char *replybuf, int bufsize);
#ifdef USE_DEVEL_LOGGING
/**
* Log open file descriptors not cloexec before execing another program
*
* Used to ensure file descriptors aren't leaking when running
* non-privileged executables
*
* Use the LOG_DEVEL_LEAKING_FDS() macro to invoke this function
*
* @param exe Executable we're about to launch
* @param min Minimum FD to consider
* @param max Maximum FD to consider + 1, or -1 for no upper FD
*/
void
log_devel_leaking_fds(const char *exe, int min, int max);
#endif
#endif #endif

View File

@ -1721,6 +1721,8 @@ g_create_wait_obj(const char *name)
close(fds[1]); close(fds[1]);
return 0; return 0;
} }
g_file_set_cloexec(fds[0], 1);
g_file_set_cloexec(fds[1], 1);
return (fds[1] << 16) | fds[0]; return (fds[1] << 16) | fds[0];
#endif #endif
} }
@ -2249,6 +2251,102 @@ g_file_lock(int fd, int start, int len)
#endif #endif
} }
/*****************************************************************************/
/* Gets the close-on-exec flag for a file descriptor */
int
g_file_get_cloexec(int fd)
{
int rv = 0;
int flags = fcntl(fd, F_GETFD);
if (flags >= 0 && (flags & FD_CLOEXEC) != 0)
{
rv = 1;
}
return rv;
}
/*****************************************************************************/
/* Sets/clears the close-on-exec flag for a file descriptor */
/* return boolean */
int
g_file_set_cloexec(int fd, int status)
{
int rv = 0;
int current_flags = fcntl(fd, F_GETFD);
if (current_flags >= 0)
{
int new_flags;
if (status)
{
new_flags = current_flags | FD_CLOEXEC;
}
else
{
new_flags = current_flags & ~FD_CLOEXEC;
}
if (new_flags != current_flags)
{
rv = (fcntl(fd, F_SETFD, new_flags) >= 0);
}
}
return rv;
}
/*****************************************************************************/
struct list *
g_get_open_fds(int min, int max)
{
struct list *result = list_create();
if (result != NULL)
{
if (max < 0)
{
max = sysconf(_SC_OPEN_MAX);
}
if (max > min)
{
struct pollfd *fds = g_new0(struct pollfd, max - min);
int i;
if (fds == NULL)
{
goto nomem;
}
for (i = min ; i < max ; ++i)
{
fds[i - min].fd = i;
}
if (poll(fds, max - min, 0) >= 0)
{
for (i = min ; i < max ; ++i)
{
if (fds[i - min].revents != POLLNVAL)
{
// Descriptor is open
if (!list_add_item(result, i))
{
goto nomem;
}
}
}
}
g_free(fds);
}
}
return result;
nomem:
list_delete(result);
return NULL;
}
/*****************************************************************************/ /*****************************************************************************/
/* Converts a hex mask to a mode_t value */ /* Converts a hex mask to a mode_t value */
#if !defined(_WIN32) #if !defined(_WIN32)

View File

@ -215,6 +215,18 @@ int g_file_write(int fd, const char *ptr, int len);
int g_file_seek(int fd, int offset); int g_file_seek(int fd, int offset);
int g_file_lock(int fd, int start, int len); int g_file_lock(int fd, int start, int len);
int g_file_duplicate_on(int fd, int target_fd); int g_file_duplicate_on(int fd, int target_fd);
int g_file_get_cloexec(int fd);
int g_file_set_cloexec(int fd, int status);
/**
* Get a list of open file descriptors
*
* @param min Min FD to consider
* @param max Max FD to consider (+1), or -1 for no limit
* @result Array of file descriptors, in ascending order.
*
* Call delete_list() on the result when you've finished with it.
*/
struct list *g_get_open_fds(int min, int max);
int g_chmod_hex(const char *filename, int flags); int g_chmod_hex(const char *filename, int flags);
int g_umask_hex(int flags); int g_umask_hex(int flags);
int g_chown(const char *name, int uid, int gid); int g_chown(const char *name, int uid, int gid);

View File

@ -355,6 +355,7 @@ trans_check_wait_objs(struct trans *self)
in_trans->type1 = TRANS_TYPE_SERVER; in_trans->type1 = TRANS_TYPE_SERVER;
in_trans->status = TRANS_STATUS_UP; in_trans->status = TRANS_STATUS_UP;
in_trans->is_term = self->is_term; in_trans->is_term = self->is_term;
g_file_set_cloexec(in_sck, 1);
g_sck_set_non_blocking(in_sck); g_sck_set_non_blocking(in_sck);
if (self->trans_conn_in(self, in_trans) != 0) if (self->trans_conn_in(self, in_trans) != 0)
{ {
@ -796,6 +797,7 @@ trans_connect(struct trans *self, const char *server, const char *port,
} }
/* Try to connect asynchronously */ /* Try to connect asynchronously */
g_file_set_cloexec(self->sck, 1);
g_tcp_set_non_blocking(self->sck); g_tcp_set_non_blocking(self->sck);
error = f_connect(self->sck, server, port); error = f_connect(self->sck, server, port);
if (error == 0) if (error == 0)
@ -881,6 +883,7 @@ trans_listen_address(struct trans *self, const char *port, const char *address)
return 1; return 1;
} }
g_file_set_cloexec(self->sck, 1);
g_tcp_set_non_blocking(self->sck); g_tcp_set_non_blocking(self->sck);
if (g_tcp_bind_address(self->sck, port, address) == 0) if (g_tcp_bind_address(self->sck, port, address) == 0)
@ -905,6 +908,7 @@ trans_listen_address(struct trans *self, const char *port, const char *address)
return 1; return 1;
} }
g_file_set_cloexec(self->sck, 1);
g_tcp_set_non_blocking(self->sck); g_tcp_set_non_blocking(self->sck);
if (g_tcp_local_bind(self->sck, port) == 0) if (g_tcp_local_bind(self->sck, port) == 0)
@ -928,6 +932,7 @@ trans_listen_address(struct trans *self, const char *port, const char *address)
return 1; return 1;
} }
g_file_set_cloexec(self->sck, 1);
g_tcp_set_non_blocking(self->sck); g_tcp_set_non_blocking(self->sck);
if (g_sck_vsock_bind_address(self->sck, port, address) == 0) if (g_sck_vsock_bind_address(self->sck, port, address) == 0)
@ -947,6 +952,7 @@ trans_listen_address(struct trans *self, const char *port, const char *address)
{ {
return 1; return 1;
} }
g_file_set_cloexec(self->sck, 1);
g_tcp_set_non_blocking(self->sck); g_tcp_set_non_blocking(self->sck);
if (g_tcp4_bind_address(self->sck, port, address) == 0) if (g_tcp4_bind_address(self->sck, port, address) == 0)
{ {
@ -965,6 +971,7 @@ trans_listen_address(struct trans *self, const char *port, const char *address)
{ {
return 1; return 1;
} }
g_file_set_cloexec(self->sck, 1);
g_tcp_set_non_blocking(self->sck); g_tcp_set_non_blocking(self->sck);
if (g_tcp6_bind_address(self->sck, port, address) == 0) if (g_tcp6_bind_address(self->sck, port, address) == 0)
{ {

View File

@ -101,6 +101,10 @@ lock_uds(const char *sockname)
g_file_close(fd); g_file_close(fd);
fd = -1; fd = -1;
} }
else
{
(void)g_file_set_cloexec(fd, 1);
}
} }
} }

View File

@ -156,6 +156,8 @@ start_chansrv(struct auth_info *auth_info,
g_cfg->env_names, g_cfg->env_names,
g_cfg->env_values); g_cfg->env_values);
LOG_DEVEL_LEAKING_FDS("chansrv", 3, -1);
/* executing chansrv */ /* executing chansrv */
g_execvp_list(exe_path, chansrv_params); g_execvp_list(exe_path, chansrv_params);
@ -273,6 +275,8 @@ start_window_manager(struct auth_info *auth_info,
g_cfg->env_values); g_cfg->env_values);
auth_set_env(auth_info); auth_set_env(auth_info);
LOG_DEVEL_LEAKING_FDS("window manager", 3, -1);
if (s->directory[0] != '\0') if (s->directory[0] != '\0')
{ {
if (g_cfg->sec.allow_alternate_shell) if (g_cfg->sec.allow_alternate_shell)
@ -555,6 +559,7 @@ start_x_server(struct auth_info *auth_info,
LOG(LOG_LEVEL_INFO, "Starting X server on display %u: %s", LOG(LOG_LEVEL_INFO, "Starting X server on display %u: %s",
s->display, s->display,
dumpItemsToString(xserver_params, execvpparams, 2048)); dumpItemsToString(xserver_params, execvpparams, 2048));
LOG_DEVEL_LEAKING_FDS("X server", 3, -1);
g_execvp_list((const char *)xserver_params->items[0], g_execvp_list((const char *)xserver_params->items[0],
xserver_params); xserver_params);
} }
@ -1015,9 +1020,12 @@ session_start(struct auth_info *auth_info,
{ {
/** /**
* We're now forked from the main sesman process, so we * We're now forked from the main sesman process, so we
* can close file descriptors that we no longer need */ * can close file descriptors that we no longer need
*
* Set FD_CLOEXEC on the FD used to send our status back to
* sesman, as our sub-processes shouldn't be able to see it */
g_file_close(fd[0]); g_file_close(fd[0]);
g_file_set_cloexec(fd[1], 1);
sesman_close_all(0); sesman_close_all(0);
@ -1117,6 +1125,8 @@ session_reconnect(int display, int uid,
if (g_file_exist(g_cfg->reconnect_sh)) if (g_file_exist(g_cfg->reconnect_sh))
{ {
LOG_DEVEL_LEAKING_FDS("reconnect script", 3, -1);
LOG(LOG_LEVEL_INFO, LOG(LOG_LEVEL_INFO,
"Starting session reconnection script on display %d: %s", "Starting session reconnection script on display %d: %s",
display, g_cfg->reconnect_sh); display, g_cfg->reconnect_sh);

View File

@ -9,6 +9,7 @@
#include <poll.h> #include <poll.h>
#include "os_calls.h" #include "os_calls.h"
#include "list.h"
#include "test_common.h" #include "test_common.h"
@ -198,6 +199,69 @@ START_TEST(test_g_file_get_size__5GiB)
END_TEST END_TEST
#endif #endif
/******************************************************************************/
/* Just test we can set and clear the flag. We don't test its operation */
START_TEST(test_g_file_cloexec)
{
int flag;
int devzerofd = g_file_open("/dev/zero");
ck_assert(devzerofd >= 0);
(void)g_file_set_cloexec(devzerofd, 1);
flag = g_file_get_cloexec(devzerofd);
ck_assert(flag != 0);
(void)g_file_set_cloexec(devzerofd, 0);
flag = g_file_get_cloexec(devzerofd);
ck_assert(flag == 0);
g_file_close(devzerofd);
}
END_TEST
/******************************************************************************/
START_TEST(test_g_file_get_open_fds)
{
int fd_count = get_open_fd_count();
int i;
struct list *start_list = g_get_open_fds(0, -1);
ck_assert_ptr_ne(start_list, NULL);
ck_assert_int_eq(start_list->count, fd_count);
// Open another file
int devzerofd = g_file_open("/dev/zero");
ck_assert(devzerofd >= 0);
// Have we now got one more open file?
struct list *open_list = g_get_open_fds(0, -1);
ck_assert_ptr_ne(open_list, NULL);
ck_assert_int_eq(open_list->count, fd_count + 1);
// Check the new file is not in the start list, but is in the open list
ck_assert_int_lt(list_index_of(start_list, devzerofd), 0);
ck_assert_int_ge(list_index_of(open_list, devzerofd), 0);
g_file_close(devzerofd);
struct list *finish_list = g_get_open_fds(0, -1);
ck_assert_ptr_ne(finish_list, NULL);
// start list same as finish list?
ck_assert_int_eq(finish_list->count, fd_count);
for (i = 0 ; i < start_list->count; ++i)
{
ck_assert_int_eq((int)finish_list->items[i],
(int)start_list->items[i]);
}
list_delete(start_list);
list_delete(open_list);
list_delete(finish_list);
}
END_TEST
/******************************************************************************/ /******************************************************************************/
START_TEST(test_g_sck_fd_passing) START_TEST(test_g_sck_fd_passing)
{ {
@ -382,8 +446,9 @@ make_suite_test_os_calls(void)
tcase_add_test(tc_os_calls, test_g_file_get_size__2GiB); tcase_add_test(tc_os_calls, test_g_file_get_size__2GiB);
tcase_add_test(tc_os_calls, test_g_file_get_size__5GiB); tcase_add_test(tc_os_calls, test_g_file_get_size__5GiB);
#endif #endif
tcase_add_test(tc_os_calls, test_g_file_cloexec);
tcase_add_test(tc_os_calls, test_g_file_get_open_fds);
tcase_add_test(tc_os_calls, test_g_sck_fd_passing); tcase_add_test(tc_os_calls, test_g_sck_fd_passing);
tcase_add_test(tc_os_calls, test_g_sck_fd_overflow); tcase_add_test(tc_os_calls, test_g_sck_fd_overflow);
return s; return s;
} }