Date: Fri, 3 May 2002 11:15:09 -0600 (MDT) From: Fred Clift <fred@clift.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/37717: [PATCH] calls to libc locatime can leak open file descriptors Message-ID: <200205031715.g43HF9s92692@dev.clift.org>
next in thread | raw e-mail | index | archive | help
>Number: 37717
>Category: bin
>Synopsis: [PATCH] calls to libc locatime can leak open file descriptors
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri May 03 10:20:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Fred Clift
>Release: FreeBSD 4.5-STABLE i386 and -CURRENT too
>Organization:
on behalf ov NTT/Verio hosting
>Environment:
System: FreeBSD -STABLE and -CURRENT, any platform
>Description:
Clearly wrong behavior in libc's localtime.c - in tzload() in src/lib/libc/stdtime/localtime.c to be precise.
There is a sanity check at the end to make sure that the file that was opened was indeed a regular file
and not say, a directory, or device, etc... If the call to fstat succedes we _must_ have had an open file
descriptor (in an automatic variable) which it doesn't close before the immediate 'return -1;'.
hence, open file descriptor leaking
>How-To-Repeat:
write a program that calls localtime. Misconfigure /usr/share/zoneinfo/GMT to be a directory instead of a
file and run your program. Thats it. Yes, this takes a misconfiguration to tickle, but since it is that
misconfiguration that the code is checking for, we should fix it.
There is a case where this was discovered was when running proftpd and letting it try and chroot - seems chroot
fails when you have an open descriptor of a directory (could use the open descriptor to break out of the chroot).
>Fix:
patches for -stable and -current are:
** $FreeBSD: src/lib/libc/stdtime/localtime.c,v 1.25.2.1 2001/03/05 11:37:21 obrien Exp $
--- localtime.c.old Tue Apr 30 09:21:42 2002
+++ localtime.c Tue Apr 30 09:20:52 2002
@@ -316,8 +316,10 @@
return -1;
if ((fid = _open(name, OPEN_MODE)) == -1)
return -1;
- if ((_fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode))
+ if ((_fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) {
+ close(fid);
return -1;
+ }
}
{
struct tzhead * tzhp;
(head)
__FBSDID("$FreeBSD: src/lib/libc/stdtime/localtime.c,v 1.30 2002/03/22 21:53:13 obrien Exp $");
--- localtime.c.old Mon Mar 5 04:37:21 2001
+++ localtime.c Tue Apr 30 09:13:58 2002
@@ -315,8 +315,10 @@
return -1;
if ((fid = _open(name, OPEN_MODE)) == -1)
return -1;
- if ((fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode))
+ if ((fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) {
+ close(fid);
return -1;
+ }
}
{
struct tzhead * tzhp;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205031715.g43HF9s92692>