Bug 130351 - udev multiple bugs
udev multiple bugs
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: udev (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Harald Hoyer
:
: 130100 (view as bug list)
Depends On:
Blocks: FC3Target
  Show dependency treegraph
 
Reported: 2004-08-19 10:46 EDT by Steve Grubb
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: udev-030-19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-03 08:35:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch that fixes these problems (4.88 KB, patch)
2004-08-19 10:48 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Steve Grubb 2004-08-19 10:46:59 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
Udev leaks file descriptors to child processes, uninitialized
variables that get used, has an off by one in a stack array variable,
and uses an environmental variable to potentially change the UDEV_BIN
program.

I will attach a patch that fixes all these issues. An extended version
of this patch has been sent upstream.

Version-Release number of selected component (if applicable):
udev-030-3

How reproducible:
Always

Steps to Reproduce:
1. Add a rule such that BUS= "scsi" PROGRAM="/usr/bin/env_audit"
2. reboot the machine
3. Look at /tmp/env_audit0000.log

Actual Results:  Open file descriptor: 3
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: socket
Address Family: AF_UNIX

Open file descriptor: 5
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: fifo, inode - 2921, device - 7
The descriptor is: pipe:[2921]

Open file descriptor: 6
User ID of File Owner: root
Group ID of File Owner: root
WARNING - Descriptor is leaked from parent.
File type: fifo, inode - 2921, device - 7
The descriptor is: pipe:[2921]
File descriptor mode is: write only


Expected Results:  Nothing past descriptor 2.

Additional info:

This borders on being a security bug.
Comment 1 Steve Grubb 2004-08-19 10:48:42 EDT
Created attachment 102877 [details]
Patch that fixes these problems
Comment 2 Harald Hoyer 2004-08-19 10:51:05 EDT
*** Bug 130100 has been marked as a duplicate of this bug. ***
Comment 3 Harald Hoyer 2004-08-19 10:53:42 EDT
Thank you for the patch!

You may post this patch to the linux-hotplug list or I will.

Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
Comment 4 Steve Grubb 2004-08-19 11:04:22 EDT
Feel free to send it to the list. I don't feel like subscribing and
unsubscribing just to send a patch. I sent a longer version of the
same patch to greg@kroah.com yesterday. I haven't received a response
yet. 

I think it needs more review. For example, opening /dev/null doesn't
seem to work, nor does it error. The first 3 descriptors need to be
opened to something innocent. 

I also think using stack variables for execle calls is bad, too. If I
recall, they should be malloc'd to reliably work on all processors.

Then there is another problem not in this patch, but sent upstream
about size_t/off_t confusion. They are different sizes, but they are
used interchangeably throughout tdb.
Comment 5 Harald Hoyer 2004-08-24 04:34:13 EDT
please try the newest version from fedora development
Comment 6 Steve Grubb 2004-08-25 09:34:32 EDT
It will be friday (8/27) before I can do any testing. I'm having to
rebuild the whole system from scratch.
Comment 7 Steve Grubb 2004-08-26 14:11:22 EDT
OK, I was able to try it out. The short answer is its changed, but not
fixed.

The problem is that important descriptors are still being leaked (they
are stdin & stdout) and others are not created at all. The signal pipe
should not be leaked. A rogue program may do a printf and cause bad
results in udevd. Stdin, stdout, stderr need to be opened to something
innocent like /dev/null. The signal pipe needs the close on exec flag
set, too.

Does /dev/null exist when udevd is started?

Also, I don't recall seeing the patch take care of anything other than
closing a descriptor on exec. There is an off by one stack array
variable problem as well as uninitilized variables and a potentially
bad access of an environmental variable that needs shutting off.

Note You need to log in before you can comment on or make changes to this bug.