From owner-freebsd-bugs Fri May 3 10:20:20 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3ACBA37B41B for ; Fri, 3 May 2002 10:20:05 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g43HK5f28395; Fri, 3 May 2002 10:20:05 -0700 (PDT) (envelope-from gnats) Received: from dev.clift.org (dentedarmor.com [63.230.22.59]) by hub.freebsd.org (Postfix) with ESMTP id 1979637B41D for ; Fri, 3 May 2002 10:16:12 -0700 (PDT) Received: (from fred@localhost) by dev.clift.org (8.11.6/8.9.3) id g43HF9s92692; Fri, 3 May 2002 11:15:09 -0600 (MDT) (envelope-from fred) Message-Id: <200205031715.g43HF9s92692@dev.clift.org> Date: Fri, 3 May 2002 11:15:09 -0600 (MDT) From: Fred Clift Reply-To: Fred Clift To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/37717: [PATCH] calls to libc locatime can leak open file descriptors Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 37717 >Category: bin >Synopsis: [PATCH] calls to libc locatime can leak open file descriptors >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri May 03 10:20:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Fred Clift >Release: FreeBSD 4.5-STABLE i386 and -CURRENT too >Organization: on behalf ov NTT/Verio hosting >Environment: System: FreeBSD -STABLE and -CURRENT, any platform >Description: Clearly wrong behavior in libc's localtime.c - in tzload() in src/lib/libc/stdtime/localtime.c to be precise. There is a sanity check at the end to make sure that the file that was opened was indeed a regular file and not say, a directory, or device, etc... If the call to fstat succedes we _must_ have had an open file descriptor (in an automatic variable) which it doesn't close before the immediate 'return -1;'. hence, open file descriptor leaking >How-To-Repeat: write a program that calls localtime. Misconfigure /usr/share/zoneinfo/GMT to be a directory instead of a file and run your program. Thats it. Yes, this takes a misconfiguration to tickle, but since it is that misconfiguration that the code is checking for, we should fix it. There is a case where this was discovered was when running proftpd and letting it try and chroot - seems chroot fails when you have an open descriptor of a directory (could use the open descriptor to break out of the chroot). >Fix: patches for -stable and -current are: ** $FreeBSD: src/lib/libc/stdtime/localtime.c,v 1.25.2.1 2001/03/05 11:37:21 obrien Exp $ --- localtime.c.old Tue Apr 30 09:21:42 2002 +++ localtime.c Tue Apr 30 09:20:52 2002 @@ -316,8 +316,10 @@ return -1; if ((fid = _open(name, OPEN_MODE)) == -1) return -1; - if ((_fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) + if ((_fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) { + close(fid); return -1; + } } { struct tzhead * tzhp; (head) __FBSDID("$FreeBSD: src/lib/libc/stdtime/localtime.c,v 1.30 2002/03/22 21:53:13 obrien Exp $"); --- localtime.c.old Mon Mar 5 04:37:21 2001 +++ localtime.c Tue Apr 30 09:13:58 2002 @@ -315,8 +315,10 @@ return -1; if ((fid = _open(name, OPEN_MODE)) == -1) return -1; - if ((fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) + if ((fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) { + close(fid); return -1; + } } { struct tzhead * tzhp; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message