From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: Udev leaks file descriptors to child processes, uninitialized variables that get used, has an off by one in a stack array variable, and uses an environmental variable to potentially change the UDEV_BIN program. I will attach a patch that fixes all these issues. An extended version of this patch has been sent upstream. Version-Release number of selected component (if applicable): udev-030-3 How reproducible: Always Steps to Reproduce: 1. Add a rule such that BUS= "scsi" PROGRAM="/usr/bin/env_audit" 2. reboot the machine 3. Look at /tmp/env_audit0000.log Actual Results: Open file descriptor: 3 User ID of File Owner: root Group ID of File Owner: root WARNING - Descriptor is leaked from parent. File type: socket Address Family: AF_UNIX Open file descriptor: 5 User ID of File Owner: root Group ID of File Owner: root WARNING - Descriptor is leaked from parent. File type: fifo, inode - 2921, device - 7 The descriptor is: pipe:[2921] Open file descriptor: 6 User ID of File Owner: root Group ID of File Owner: root WARNING - Descriptor is leaked from parent. File type: fifo, inode - 2921, device - 7 The descriptor is: pipe:[2921] File descriptor mode is: write only Expected Results: Nothing past descriptor 2. Additional info: This borders on being a security bug.
Created attachment 102877 [details] Patch that fixes these problems
*** Bug 130100 has been marked as a duplicate of this bug. ***
Thank you for the patch! You may post this patch to the linux-hotplug list or I will. Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
Feel free to send it to the list. I don't feel like subscribing and unsubscribing just to send a patch. I sent a longer version of the same patch to greg yesterday. I haven't received a response yet. I think it needs more review. For example, opening /dev/null doesn't seem to work, nor does it error. The first 3 descriptors need to be opened to something innocent. I also think using stack variables for execle calls is bad, too. If I recall, they should be malloc'd to reliably work on all processors. Then there is another problem not in this patch, but sent upstream about size_t/off_t confusion. They are different sizes, but they are used interchangeably throughout tdb.
please try the newest version from fedora development
It will be friday (8/27) before I can do any testing. I'm having to rebuild the whole system from scratch.
OK, I was able to try it out. The short answer is its changed, but not fixed. The problem is that important descriptors are still being leaked (they are stdin & stdout) and others are not created at all. The signal pipe should not be leaked. A rogue program may do a printf and cause bad results in udevd. Stdin, stdout, stderr need to be opened to something innocent like /dev/null. The signal pipe needs the close on exec flag set, too. Does /dev/null exist when udevd is started? Also, I don't recall seeing the patch take care of anything other than closing a descriptor on exec. There is an off by one stack array variable problem as well as uninitilized variables and a potentially bad access of an environmental variable that needs shutting off.