It is in general unsafe to start a program with one or more of file
descriptors 0/1/2 closed. Karl Chen for example noticed that stat_command
does this in order to rename a pipe file descriptor to 0:
dup2(from, 0);
close(from);
... but if stdin was closed (for example) from == 0, so that
dup2(0, 0);
close(0);
just ends up closing the pipe. Another extremely rare but nasty problem
would occur if an "important" file ends up in file descriptor 2, and is
corrupted by a call to die().
Fixing this in git was considered to be overkill, so this patch works
around it only for git-shell. The fix is simply to open all the "low"
descriptors to /dev/null in main.
Signed-off-by: Paolo Bonzini <bonzini@xxxxxxx>
---
shell.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/shell.c b/shell.c
index 0f6a727..e339369 100644
--- a/shell.c
+++ b/shell.c
@@ -48,6 +48,19 @@ int main(int argc, char **argv)
{
char *prog;
struct commands *cmd;
+ int devnull_fd;
+
+ /*
+ * Always open file descriptors 0/1/2 to avoid clobbering files
+ * in die(). It also avoids not messing up when the pipes are
+ * dup'ed onto stdin/stdout/stderr in the child processes we spawn.
+ */
+ devnull_fd = open("/dev/null", O_RDWR);
+ while (devnull_fd >= 0 && devnull_fd <= 2)
+ devnull_fd = dup(devnull_fd);
+ if (devnull_fd == -1)
+ die("opening /dev/null failed (%s)", strerror(errno));
+ close (devnull_fd);
/*
* Special hack to pretend to be a CVS server
--
1.5.5
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
