Bug 130351 - udev multiple bugs
Summary: udev multiple bugs
Alias: None
Product: Fedora
Classification: Fedora
Component: udev
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
: 130100 (view as bug list)
Depends On:
Blocks: FC3Target
TreeView+ depends on / blocked
Reported: 2004-08-19 14:46 UTC by Steve Grubb
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version: udev-030-19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-09-03 12:35:35 UTC

Attachments (Terms of Use)
Patch that fixes these problems (4.88 KB, patch)
2004-08-19 14:48 UTC, Steve Grubb
no flags Details | Diff

Description Steve Grubb 2004-08-19 14:46:59 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)

Description of problem:
Udev leaks file descriptors to child processes, uninitialized
variables that get used, has an off by one in a stack array variable,
and uses an environmental variable to potentially change the UDEV_BIN

I will attach a patch that fixes all these issues. An extended version
of this patch has been sent upstream.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Add a rule such that BUS= "scsi" PROGRAM="/usr/bin/env_audit"
2. reboot the machine
3. Look at /tmp/env_audit0000.log

Actual Results:  Open file descriptor: 3
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: socket
Address Family: AF_UNIX

Open file descriptor: 5
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: fifo, inode - 2921, device - 7
The descriptor is: pipe:[2921]

Open file descriptor: 6
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: fifo, inode - 2921, device - 7
The descriptor is: pipe:[2921]
File descriptor mode is: write only

Expected Results:  Nothing past descriptor 2.

Additional info:

This borders on being a security bug.

Comment 1 Steve Grubb 2004-08-19 14:48:42 UTC
Created attachment 102877 [details]
Patch that fixes these problems

Comment 2 Harald Hoyer 2004-08-19 14:51:05 UTC
*** Bug 130100 has been marked as a duplicate of this bug. ***

Comment 3 Harald Hoyer 2004-08-19 14:53:42 UTC
Thank you for the patch!

You may post this patch to the linux-hotplug list or I will.

Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net

Comment 4 Steve Grubb 2004-08-19 15:04:22 UTC
Feel free to send it to the list. I don't feel like subscribing and
unsubscribing just to send a patch. I sent a longer version of the
same patch to greg@kroah.com yesterday. I haven't received a response

I think it needs more review. For example, opening /dev/null doesn't
seem to work, nor does it error. The first 3 descriptors need to be
opened to something innocent. 

I also think using stack variables for execle calls is bad, too. If I
recall, they should be malloc'd to reliably work on all processors.

Then there is another problem not in this patch, but sent upstream
about size_t/off_t confusion. They are different sizes, but they are
used interchangeably throughout tdb.

Comment 5 Harald Hoyer 2004-08-24 08:34:13 UTC
please try the newest version from fedora development

Comment 6 Steve Grubb 2004-08-25 13:34:32 UTC
It will be friday (8/27) before I can do any testing. I'm having to
rebuild the whole system from scratch.

Comment 7 Steve Grubb 2004-08-26 18:11:22 UTC
OK, I was able to try it out. The short answer is its changed, but not

The problem is that important descriptors are still being leaked (they
are stdin & stdout) and others are not created at all. The signal pipe
should not be leaked. A rogue program may do a printf and cause bad
results in udevd. Stdin, stdout, stderr need to be opened to something
innocent like /dev/null. The signal pipe needs the close on exec flag
set, too.

Does /dev/null exist when udevd is started?

Also, I don't recall seeing the patch take care of anything other than
closing a descriptor on exec. There is an off by one stack array
variable problem as well as uninitilized variables and a potentially
bad access of an environmental variable that needs shutting off.

Note You need to log in before you can comment on or make changes to this bug.