It is in general unsafe to start git with one or more of file descriptors
0/1/2 closed. Karl Chen for example noticed that stat_command does this
in order to rename a pipe file descriptor to 0:
dup2(from, 0);
close(from);
... but if stdin was closed (for example) from == 0, so that
dup2(0, 0);
close(0);
just ends up closing the pipe. Another extremely rare but nasty problem
would occur if an "important" file ends up in file descriptor 2, and is
corrupted by a call to die().
This patch fixes these problems by opening all of the "low" descriptors
to /dev/null in main.
Signed-off-by: Paolo Bonzini <bonzini@xxxxxxx>
---
git.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/git.c b/git.c
index 89e4645..be227b2 100644
--- a/git.c
+++ b/git.c
@@ -420,6 +420,19 @@ int main(int argc, const char **argv)
const char *cmd = argv[0] && *argv[0] ? argv[0] : "git-help";
char *slash = (char *)cmd + strlen(cmd);
int done_alias = 0;
+ int devnull_fd;
+
+ /*
+ * Always open file descriptors 0/1/2 to avoid clobbering files
+ * in die(). It also avoids not messing up when the pipes are
+ * dup'ed onto stdin/stdout/stderr in the child processes we spawn.
+ */
+ devnull_fd = open("/dev/null", O_RDWR);
+ while (devnull_fd >= 0 && devnull_fd <= 2)
+ devnull_fd = dup(devnull_fd);
+ if (devnull_fd == -1)
+ die("opening /dev/null failed (%s)", strerror(errno));
+ close (devnull_fd);
/*
* Take the basename of argv[0] as the command
--
1.5.5
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
