Bug 130351

Summary: udev multiple bugs
Product: [Fedora] Fedora Reporter: Steve Grubb <linux_4ever>
Component: udevAssignee: Harald Hoyer <harald>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: selinux
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: udev-030-19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-03 12:35:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 123268    
Attachments:
Description Flags
Patch that fixes these problems none

Description Steve Grubb 2004-08-19 14:46:59 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
Udev leaks file descriptors to child processes, uninitialized
variables that get used, has an off by one in a stack array variable,
and uses an environmental variable to potentially change the UDEV_BIN
program.

I will attach a patch that fixes all these issues. An extended version
of this patch has been sent upstream.

Version-Release number of selected component (if applicable):
udev-030-3

How reproducible:
Always

Steps to Reproduce:
1. Add a rule such that BUS= "scsi" PROGRAM="/usr/bin/env_audit"
2. reboot the machine
3. Look at /tmp/env_audit0000.log

Actual Results:  Open file descriptor: 3
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: socket
Address Family: AF_UNIX

Open file descriptor: 5
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: fifo, inode - 2921, device - 7
The descriptor is: pipe:[2921]

Open file descriptor: 6
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: fifo, inode - 2921, device - 7
The descriptor is: pipe:[2921]
File descriptor mode is: write only


Expected Results:  Nothing past descriptor 2.

Additional info:

This borders on being a security bug.
Comment 1 Steve Grubb 2004-08-19 14:48:42 UTC 
Created attachment 102877 [details]
Patch that fixes these problems
Comment 2 Harald Hoyer 2004-08-19 14:51:05 UTC 
*** Bug 130100 has been marked as a duplicate of this bug. ***
Comment 3 Harald Hoyer 2004-08-19 14:53:42 UTC 
Thank you for the patch!

You may post this patch to the linux-hotplug list or I will.

Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
Comment 4 Steve Grubb 2004-08-19 15:04:22 UTC 
Feel free to send it to the list. I don't feel like subscribing and
unsubscribing just to send a patch. I sent a longer version of the
same patch to greg yesterday. I haven't received a response
yet. 

I think it needs more review. For example, opening /dev/null doesn't
seem to work, nor does it error. The first 3 descriptors need to be
opened to something innocent. 

I also think using stack variables for execle calls is bad, too. If I
recall, they should be malloc'd to reliably work on all processors.

Then there is another problem not in this patch, but sent upstream
about size_t/off_t confusion. They are different sizes, but they are
used interchangeably throughout tdb.
Comment 5 Harald Hoyer 2004-08-24 08:34:13 UTC 
please try the newest version from fedora development
Comment 6 Steve Grubb 2004-08-25 13:34:32 UTC 
It will be friday (8/27) before I can do any testing. I'm having to
rebuild the whole system from scratch.
Comment 7 Steve Grubb 2004-08-26 18:11:22 UTC 
OK, I was able to try it out. The short answer is its changed, but not
fixed.

The problem is that important descriptors are still being leaked (they
are stdin & stdout) and others are not created at all. The signal pipe
should not be leaked. A rogue program may do a printf and cause bad
results in udevd. Stdin, stdout, stderr need to be opened to something
innocent like /dev/null. The signal pipe needs the close on exec flag
set, too.

Does /dev/null exist when udevd is started?

Also, I don't recall seeing the patch take care of anything other than
closing a descriptor on exec. There is an off by one stack array
variable problem as well as uninitilized variables and a potentially
bad access of an environmental variable that needs shutting off.