From fc333501ca97880108c8ff17e33d9dd7d5e28ed4 Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Tue, 1 Sep 2009 12:25:01 -0600 Subject: [PATCH] backupfile, chdir-long, fts, savedir: make safer * lib/backupfile.c (includes): Use "dirent--.h", since numbered_backup can write to stderr during readdir. * lib/savedir.c (includes): Likewise. * lib/chdir-long.c (includes): Use "fcntl--.h", since openat emulation can write to stderr on failure. * lib/fts.c (includes) [!_LIBC]: Likewise for opendir and openat. * lib/getcwd.c: Document why opendir_safer is unused. * lib/glob.c: Likewise. * lib/scandir.c: Likewise. * lib/openat-proc.c: Likewise, for open_safer. * modules/backupfile (Depends-on): Add dirent-safer. * modules/savedir (Depends-on): Likewise. * modules/fts (Depends-on): Add dirent-safer and openat-safer. * modules/chdir-long (Depends-on): Add openat-safer. Signed-off-by: Eric Blake --- ChangeLog | 16 ++++++++++++++++ lib/backupfile.c | 9 ++------- lib/chdir-long.c | 5 ++--- lib/fts.c | 2 +- lib/getcwd.c | 8 ++++++-- lib/glob.c | 7 +++++-- lib/openat-proc.c | 7 +++++-- lib/savedir.c | 7 +------ lib/scandir.c | 8 ++++++++ modules/backupfile | 1 + modules/chdir-long | 2 +- modules/fts | 3 ++- modules/savedir | 1 + 13 files changed, 51 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6c991eab2..3ac7d123e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,21 @@ 2009-09-02 Eric Blake + backupfile, chdir-long, fts, savedir: make safer + * lib/backupfile.c (includes): Use "dirent--.h", since + numbered_backup can write to stderr during readdir. + * lib/savedir.c (includes): Likewise. + * lib/chdir-long.c (includes): Use "fcntl--.h", since openat + emulation can write to stderr on failure. + * lib/fts.c (includes) [!_LIBC]: Likewise for opendir and openat. + * lib/getcwd.c: Document why opendir_safer is unused. + * lib/glob.c: Likewise. + * lib/scandir.c: Likewise. + * lib/openat-proc.c: Likewise, for open_safer. + * modules/backupfile (Depends-on): Add dirent-safer. + * modules/savedir (Depends-on): Likewise. + * modules/fts (Depends-on): Add dirent-safer and openat-safer. + * modules/chdir-long (Depends-on): Add openat-safer. + openat-safer: new module * modules/openat-safer: New file. * lib/openat-safer.c: Likewise. diff --git a/lib/backupfile.c b/lib/backupfile.c index 1420edd8c..f6cf73779 100644 --- a/lib/backupfile.c +++ b/lib/backupfile.c @@ -1,7 +1,7 @@ /* backupfile.c -- make Emacs style backup file names Copyright (C) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, - 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software + 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify @@ -37,7 +37,7 @@ #include -#include +#include "dirent--.h" #ifndef _D_EXACT_NAMLEN # define _D_EXACT_NAMLEN(dp) strlen ((dp)->d_name) #endif @@ -80,11 +80,6 @@ of `digit' even when the host does not conform to POSIX. */ #define ISDIGIT(c) ((unsigned int) (c) - '0' <= 9) -/* The results of opendir() in this file are not used with dirfd and fchdir, - therefore save some unnecessary work in fchdir.c. */ -#undef opendir -#undef closedir - /* The extension added to file names to produce a simple (as opposed to numbered) backup file name. */ char const *simple_backup_suffix = "~"; diff --git a/lib/chdir-long.c b/lib/chdir-long.c index 291b58c28..ba47d5997 100644 --- a/lib/chdir-long.c +++ b/lib/chdir-long.c @@ -1,5 +1,5 @@ /* provide a chdir function that tries not to fail due to ENAMETOOLONG - Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. + Copyright (C) 2004-2009 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -20,7 +20,6 @@ #include "chdir-long.h" -#include #include #include #include @@ -28,7 +27,7 @@ #include #include -#include "openat.h" +#include "fcntl--.h" #ifndef PATH_MAX # error "compile this file only if your system defines PATH_MAX" diff --git a/lib/fts.c b/lib/fts.c index a30e38a32..7616c6fc1 100644 --- a/lib/fts.c +++ b/lib/fts.c @@ -69,7 +69,7 @@ static char sccsid[] = "@(#)fts.c 8.6 (Berkeley) 8/14/94"; #if ! _LIBC # include "fcntl--.h" -# include "openat.h" +# include "dirent--.h" # include "unistd--.h" # include "same-inode.h" #endif diff --git a/lib/getcwd.c b/lib/getcwd.c index b9e57d31a..2da1aeef2 100644 --- a/lib/getcwd.c +++ b/lib/getcwd.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991-1999, 2004-2008 Free Software Foundation, Inc. +/* Copyright (C) 1991-1999, 2004-2009 Free Software Foundation, Inc. This file is part of the GNU C Library. This program is free software: you can redistribute it and/or modify @@ -103,7 +103,11 @@ #endif /* The results of opendir() in this file are not used with dirfd and fchdir, - therefore save some unnecessary recursion in fchdir.c. */ + and we do not leak fds to any single-threaded code that could use stdio, + therefore save some unnecessary recursion in fchdir.c. + FIXME - if the kernel ever adds support for multi-thread safety for + avoiding standard fds, then we should use opendir_safer and + openat_safer. */ #undef opendir #undef closedir diff --git a/lib/glob.c b/lib/glob.c index 40cc9b3de..42cd39bd4 100644 --- a/lib/glob.c +++ b/lib/glob.c @@ -1,4 +1,4 @@ -/* Copyright (C) 1991-2002, 2003, 2004, 2005, 2006, 2007, 2008 +/* Copyright (C) 1991-2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. This file is part of the GNU C Library. @@ -186,7 +186,10 @@ static const char *next_brace_sub (const char *begin, int flags) __THROW; #ifndef _LIBC /* The results of opendir() in this file are not used with dirfd and fchdir, - therefore save some unnecessary work in fchdir.c. */ + and we do not leak fds to any single-threaded code that could use stdio, + therefore save some unnecessary recursion in fchdir.c and opendir_safer.c. + FIXME - if the kernel ever adds support for multi-thread safety for + avoiding standard fds, then we should use opendir_safer. */ # undef opendir # undef closedir diff --git a/lib/openat-proc.c b/lib/openat-proc.c index e84dc454f..8057033e8 100644 --- a/lib/openat-proc.c +++ b/lib/openat-proc.c @@ -1,6 +1,6 @@ /* Create /proc/self/fd-related names for subfiles of open directories. - Copyright (C) 2006 Free Software Foundation, Inc. + Copyright (C) 2006, 2009 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -34,7 +34,10 @@ #include "xalloc.h" /* The results of open() in this file are not used with fchdir, - therefore save some unnecessary work in fchdir.c. */ + and we do not leak fds to any single-threaded code that could use stdio, + therefore save some unnecessary work in fchdir.c. + FIXME - if the kernel ever adds support for multi-thread safety for + avoiding standard fds, then we should use open_safer. */ #undef open #undef close diff --git a/lib/savedir.c b/lib/savedir.c index 8400145ad..5e69d386f 100644 --- a/lib/savedir.c +++ b/lib/savedir.c @@ -26,7 +26,7 @@ #include -#include +#include "dirent--.h" #ifndef _D_EXACT_NAMLEN # define _D_EXACT_NAMLEN(dp) strlen ((dp)->d_name) #endif @@ -41,11 +41,6 @@ # define NAME_SIZE_DEFAULT 512 #endif -/* The results of opendir() in this file are not used with dirfd and fchdir, - therefore save some unnecessary work in fchdir.c. */ -#undef opendir -#undef closedir - /* Return a freshly allocated string containing the file names in directory DIRP, separated by '\0' characters; the end is marked by two '\0' characters in a row. diff --git a/lib/scandir.c b/lib/scandir.c index 8b34070e8..54a74d5e0 100644 --- a/lib/scandir.c +++ b/lib/scandir.c @@ -45,6 +45,14 @@ # define __opendir opendir # define __closedir closedir # define __set_errno(val) errno = (val) + +/* The results of opendir() in this file are not used with dirfd and fchdir, + and we do not leak fds to any single-threaded code that could use stdio, + therefore save some unnecessary recursion in fchdir.c and opendir_safer.c. + FIXME - if the kernel ever adds support for multi-thread safety for + avoiding standard fds, then we should use opendir_safer. */ +# undef opendir +# undef closedir #endif #ifndef SCANDIR_CANCEL diff --git a/modules/backupfile b/modules/backupfile index 3f8ccfdf1..aaf20f3b1 100644 --- a/modules/backupfile +++ b/modules/backupfile @@ -11,6 +11,7 @@ m4/backupfile.m4 Depends-on: argmatch d-ino +dirent-safer dirname memcmp stdbool diff --git a/modules/chdir-long b/modules/chdir-long index 4025b45af..cdcb9eb70 100644 --- a/modules/chdir-long +++ b/modules/chdir-long @@ -10,7 +10,7 @@ Depends-on: atexit fchdir fcntl-h -openat +openat-safer memchr mempcpy memrchr diff --git a/modules/fts b/modules/fts index 38b22567b..f80a827db 100644 --- a/modules/fts +++ b/modules/fts @@ -11,6 +11,7 @@ Depends-on: cycle-check d-ino d-type +dirent-safer dirfd fchdir fcntl-h @@ -19,7 +20,7 @@ hash i-ring lstat memmove -openat +openat-safer stdbool unistd-safer diff --git a/modules/savedir b/modules/savedir index 4171b802c..6699095e2 100644 --- a/modules/savedir +++ b/modules/savedir @@ -7,6 +7,7 @@ lib/savedir.c m4/savedir.m4 Depends-on: +dirent-safer fdopendir xalloc -- 2.11.0