Red Hat Bugzilla – Full Text Bug Listing
|Summary:||udev multiple bugs|
|Product:||[Fedora] Fedora||Reporter:||Steve Grubb <linux_4ever>|
|Component:||udev||Assignee:||Harald Hoyer <harald>|
|Status:||CLOSED RAWHIDE||QA Contact:|
|Fixed In Version:||udev-030-19||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2004-09-03 08:35:35 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Steve Grubb 2004-08-19 10:46:59 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: Udev leaks file descriptors to child processes, uninitialized variables that get used, has an off by one in a stack array variable, and uses an environmental variable to potentially change the UDEV_BIN program. I will attach a patch that fixes all these issues. An extended version of this patch has been sent upstream. Version-Release number of selected component (if applicable): udev-030-3 How reproducible: Always Steps to Reproduce: 1. Add a rule such that BUS= "scsi" PROGRAM="/usr/bin/env_audit" 2. reboot the machine 3. Look at /tmp/env_audit0000.log Actual Results: Open file descriptor: 3 User ID of File Owner: root Group ID of File Owner: root WARNING - Descriptor is leaked from parent. File type: socket Address Family: AF_UNIX Open file descriptor: 5 User ID of File Owner: root Group ID of File Owner: root WARNING - Descriptor is leaked from parent. File type: fifo, inode - 2921, device - 7 The descriptor is: pipe: Open file descriptor: 6 User ID of File Owner: root Group ID of File Owner: root WARNING - Descriptor is leaked from parent. File type: fifo, inode - 2921, device - 7 The descriptor is: pipe: File descriptor mode is: write only Expected Results: Nothing past descriptor 2. Additional info: This borders on being a security bug.
Comment 1 Steve Grubb 2004-08-19 10:48:42 EDT
Created attachment 102877 [details] Patch that fixes these problems
Comment 2 Harald Hoyer 2004-08-19 10:51:05 EDT
*** Bug 130100 has been marked as a duplicate of this bug. ***
Comment 3 Harald Hoyer 2004-08-19 10:53:42 EDT
Thank you for the patch! You may post this patch to the linux-hotplug list or I will. Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linuxemail@example.com https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
Comment 4 Steve Grubb 2004-08-19 11:04:22 EDT
Feel free to send it to the list. I don't feel like subscribing and unsubscribing just to send a patch. I sent a longer version of the same patch to firstname.lastname@example.org yesterday. I haven't received a response yet. I think it needs more review. For example, opening /dev/null doesn't seem to work, nor does it error. The first 3 descriptors need to be opened to something innocent. I also think using stack variables for execle calls is bad, too. If I recall, they should be malloc'd to reliably work on all processors. Then there is another problem not in this patch, but sent upstream about size_t/off_t confusion. They are different sizes, but they are used interchangeably throughout tdb.
Comment 5 Harald Hoyer 2004-08-24 04:34:13 EDT
please try the newest version from fedora development
Comment 6 Steve Grubb 2004-08-25 09:34:32 EDT
It will be friday (8/27) before I can do any testing. I'm having to rebuild the whole system from scratch.
Comment 7 Steve Grubb 2004-08-26 14:11:22 EDT
OK, I was able to try it out. The short answer is its changed, but not fixed. The problem is that important descriptors are still being leaked (they are stdin & stdout) and others are not created at all. The signal pipe should not be leaked. A rogue program may do a printf and cause bad results in udevd. Stdin, stdout, stderr need to be opened to something innocent like /dev/null. The signal pipe needs the close on exec flag set, too. Does /dev/null exist when udevd is started? Also, I don't recall seeing the patch take care of anything other than closing a descriptor on exec. There is an off by one stack array variable problem as well as uninitilized variables and a potentially bad access of an environmental variable that needs shutting off.