From ca26f1c238c51b3b2f80dd25fd7fcf8774f38ca4 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Fri, 19 Aug 2016 20:22:45 +0200 Subject: [PATCH] hush: fix a bug with "stdio rewind on exit". Closes 9186 With FEATURE_SH_STANDALONE=y, run this in a "sh SCRIPT": sha256sum /dev/null echo END sha256sum is a NOEXEC applet. It runs in a forked child. Then child exit()s. By this time, entire script is read, and buffered in a FILE object from fopen("SCRIPT"). But fgetc() did not consume entire input. exit() lseeks back by -9 bytes, from to 'e' in 'echo'. (this may be libc-specific). This change of fd position *is shared with the parent*! Now parent can read more, and it thinks there is another "echo END". End result: two "echo END"s are run. `cmd` and arithmetic also need the fix for this, even without FEATURE_SH_STANDALONE. Fix this by _exit()ing instead. Signed-off-by: Denys Vlasenko --- libbb/appletlib.c | 4 ++- shell/hush.c | 62 ++++++++++++++++++++++++++++------------- shell/hush_test/run-all | 3 +- 3 files changed, 48 insertions(+), 21 deletions(-) diff --git a/libbb/appletlib.c b/libbb/appletlib.c index 24253cf27..871f78db3 100644 --- a/libbb/appletlib.c +++ b/libbb/appletlib.c @@ -771,7 +771,9 @@ void FAST_FUNC run_applet_no_and_exit(int applet_no, char **argv) } if (ENABLE_FEATURE_SUID) check_suid(applet_no); - exit(applet_main[applet_no](argc, argv)); + xfunc_error_retval = applet_main[applet_no](argc, argv); + /* Note: applet_main() may also not return (die on a xfunc or such) */ + xfunc_die(); } void FAST_FUNC run_applet_and_exit(const char *name, char **argv) diff --git a/shell/hush.c b/shell/hush.c index eabe83ac6..8bdbd4b8d 100644 --- a/shell/hush.c +++ b/shell/hush.c @@ -1477,19 +1477,50 @@ static sighandler_t install_sighandler(int sig, sighandler_t handler) return old_sa.sa_handler; } +static void hush_exit(int exitcode) NORETURN; +static void fflush_and__exit(void) NORETURN; +static void restore_ttypgrp_and__exit(void) NORETURN; + +static void restore_ttypgrp_and__exit(void) +{ + /* xfunc has failed! die die die */ + /* no EXIT traps, this is an escape hatch! */ + G.exiting = 1; + hush_exit(xfunc_error_retval); +} + +/* Needed only on some libc: + * It was observed that on exit(), fgetc'ed buffered data + * gets "unwound" via lseek(fd, -NUM, SEEK_CUR). + * With the net effect that even after fork(), not vfork(), + * exit() in NOEXECed applet in "sh SCRIPT": + * noexec_applet_here + * echo END_OF_SCRIPT + * lseeks fd in input FILE object from EOF to "e" in "echo END_OF_SCRIPT". + * This makes "echo END_OF_SCRIPT" executed twice. + * Similar problems can be seen with die_if_script() -> xfunc_die() + * and in `cmd` handling. + * If set as die_func(), this makes xfunc_die() exit via _exit(), not exit(): + */ +static void fflush_and__exit(void) +{ + fflush_all(); + _exit(xfunc_error_retval); +} + #if ENABLE_HUSH_JOB -static void xfunc_has_died(void); /* After [v]fork, in child: do not restore tty pgrp on xfunc death */ -# define disable_restore_tty_pgrp_on_exit() (die_func = NULL) +# define disable_restore_tty_pgrp_on_exit() (die_func = fflush_and__exit) /* After [v]fork, in parent: restore tty pgrp on xfunc death */ -# define enable_restore_tty_pgrp_on_exit() (die_func = xfunc_has_died) +# define enable_restore_tty_pgrp_on_exit() (die_func = restore_ttypgrp_and__exit) /* Restores tty foreground process group, and exits. * May be called as signal handler for fatal signal * (will resend signal to itself, producing correct exit state) * or called directly with -EXITCODE. - * We also call it if xfunc is exiting. */ + * We also call it if xfunc is exiting. + */ static void sigexit(int sig) NORETURN; static void sigexit(int sig) { @@ -1544,7 +1575,6 @@ static sighandler_t pick_sighandler(unsigned sig) } /* Restores tty foreground process group, and exits. */ -static void hush_exit(int exitcode) NORETURN; static void hush_exit(int exitcode) { #if ENABLE_FEATURE_EDITING_SAVE_ON_EXIT @@ -1580,23 +1610,14 @@ static void hush_exit(int exitcode) } #endif -#if ENABLE_HUSH_JOB fflush_all(); +#if ENABLE_HUSH_JOB sigexit(- (exitcode & 0xff)); #else - exit(exitcode); + _exit(exitcode); #endif } -static void xfunc_has_died(void) NORETURN; -static void xfunc_has_died(void) -{ - /* xfunc has failed! die die die */ - /* no EXIT traps, this is an escape hatch! */ - G.exiting = 1; - hush_exit(xfunc_error_retval); -} - //TODO: return a mask of ALL handled sigs? static int check_and_run_traps(void) @@ -5913,7 +5934,8 @@ static FILE *generate_stream_from_string(const char *s, pid_t *pid_p) ) { static const char *const argv[] = { NULL, NULL }; builtin_trap((char**)argv); - exit(0); /* not _exit() - we need to fflush */ + fflush_all(); /* important */ + _exit(0); } # if BB_MMU reset_traps_to_defaults(); @@ -6466,7 +6488,8 @@ static void dump_cmd_in_x_mode(char **argv) * Never returns. * Don't exit() here. If you don't exec, use _exit instead. * The at_exit handlers apparently confuse the calling process, - * in particular stdin handling. Not sure why? -- because of vfork! (vda) */ + * in particular stdin handling. Not sure why? -- because of vfork! (vda) + */ static void pseudo_exec_argv(nommu_save_t *nommu_save, char **argv, int assignment_cnt, char **argv_expanded) NORETURN; @@ -7787,6 +7810,7 @@ int hush_main(int argc, char **argv) INIT_G(); if (EXIT_SUCCESS != 0) /* if EXIT_SUCCESS == 0, it is already done */ G.last_exitcode = EXIT_SUCCESS; + #if ENABLE_HUSH_FAST G.count_SIGCHLD++; /* ensure it is != G.handled_SIGCHLD */ #endif @@ -7876,7 +7900,7 @@ int hush_main(int argc, char **argv) /* Initialize some more globals to non-zero values */ cmdedit_update_prompt(); - die_func = xfunc_has_died; + die_func = restore_ttypgrp_and__exit; /* Shell is non-interactive at first. We need to call * install_special_sighandlers() if we are going to execute "sh