Fix uninitialized memory read and associated crash. #2312
Conversation
Linux does set the amaster parameter of `forkpty()` to a valid file
descriptor in the child, but we pass this value to
`OwnedFd::from_raw_fd`, which panics if the passed value is
`0xffff_ffff`.
A simple reproducer:
```
fn effify()
{
let x: [u8; 1024] = [0xff; 1024];
}
fn main()
{
effify();
let dupped = nix::unistd::dup(1).unwrap();
let result = unsafe { nix::pty::forkpty(None, None).unwrap() };
match result.fork_result
{
nix::unistd::ForkResult::Child =>
{
nix::unistd::dup2(dupped, 1).unwrap();
println!("Child is happy");
}
nix::unistd::ForkResult::Parent { child } =>
{
println!("Parent is happy");
println!("{:?}", nix::sys::wait::waitpid(child, None).unwrap());
}
}
}
```
The child process panics in the above code without the above patch
applied.
Xeom
changed the title
|
Apologies for the spelling mistakes in the commit message, I was sleepy when I wrote this. Now I'm awake however, I've realized that this patch fixes my particular crash, but not the more general issue that we're putting an uninitialized value into an In my case, I immediately call A proper fix for this problem would be to change the structure of |
|
I can reproduce this on my Linux host (kernel 6.7.4/glibc 2.38). And from the source code of glibc 2.39, in the spawned child process, the
This makes sense to me, at least on Linux/Glibc. Unfortunately, the Linux manual does not mention this behavior. This syscall comes from BSD, the FreeBSD manual, does mention this:
So I think we can apply the patch to all the platforms. |
|
superseded by #2315 |
Linux doesn't set the
amasterparameter offorkpty()to a valid file descriptor in the child, but we pass this value toOwnedFd::from_raw_fd, which panics if the passed value is0xffff_ffff.A simple reproducer:
The child process panics in the above code without this patch applied.
What does this PR do
Checklist:
CONTRIBUTING.md