Re: Potential handle leaks in dup_worker

[Ken Brown <kbrown@cornell.edu>]

On 2/9/2021 4:47 AM, Corinna Vinschen via Cygwin-developers wrote:
> On Feb  8 12:39, Ken Brown via Cygwin-developers wrote:
>> I've had occasion to work through dtable::dup_worker, and I'm seeing the
>> potential for leaks of path_conv handles.  I haven't seen any evidence that
>> the leaks actually occur, but the code should probably be cleaned up if I'm
>> right.
>>
>> dup_worker calls clone to create newfh from oldfh.  clone calls copyto,
>> which calls operator=, which calls path_conv::operator=, which duplicates
>> the path_conv handle from oldfh to newfh.  Then copyto calls reset, which
>> calls path_conv::operator<<, which again duplicates the path_conv handle
>> from oldfh to newfh without first closing the previous one.  That's the
>> first leak.
>>
>> Further on, dup_worker calls newfh->pc.reset_conv_handle (), which sets the
>> path_conv handle of newfh to NULL without closing the existing handle.  So
>> that's a second leak.  This one is easily fixed by calling close_conv_handle
>> instead of reset_conv_handle.
> 
> Nice detective work, you're right.  For fun, this is easily testable.
> Apply this patch to Cygwin:
> 
> diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc
> index 52a020f07d5e..58e993b66c42 100644
> --- a/winsup/cygwin/syscalls.cc
> +++ b/winsup/cygwin/syscalls.cc
> @@ -1475,6 +1475,10 @@ open (const char *unix_path, int flags, ...)
>         int opt = PC_OPEN | PC_SYM_NOFOLLOW_PROCFD;
>         opt |= (flags & (O_NOFOLLOW | O_EXCL)) ? PC_SYM_NOFOLLOW
>   					     : PC_SYM_FOLLOW;
> +
> +      if (flags & O_NOATIME)
> +      	opt |= PC_KEEP_HANDLE;
> +
>         /* This is a temporary kludge until all utilities can catch up
>   	 with a change in behavior that implements linux functionality:
>   	 opening a tty should not automatically cause it to become the
> 
> And then create an STC like this:
> 
>    #define _GNU_SOURCE 1
>    #include <stdio.h>
>    #include <unistd.h>
>    #include <fcntl.h>
> 
>    int
>    main (int argc, char **argv)
>    {
>      int fd, fd2;
> 
>      fd = open (argv[1], O_RDONLY | O_NOATIME);
>      dup (fd);
>    }
> 
>> As a practical matter, I think the path_conv handle of oldfh is always NULL
>> when dup_worker is called, so there's no actual leak.
> 
> Right, because conv_handle should only be non-NULL in calls to stat(2)
> and friends.
> 
> Nevertheless, it's a bad idea to keep this code.  So the question is
> this:  Do we actually *need* to duplicate the conv_handle at all?
> It doesn't look like this is ever needed.  Perhaps the code should
> just never duplicate conv_handle and just always reset it to NULL
> instead?

I've come across one place where I think it's needed.  Suppose build_fh_name is 
called with PC_KEEP_HANDLE.  It calls build_fh_pc, which calls set_name, which 
calls path_conv::operator<<.  I think we need to duplicate conv_handle here.

If this is the only place where duplication is needed, we could just do it in 
build_fh_pc or fhandler_base::set_name.  We would probably want to add a 
path_conv::dup_conv_handle method:

   inline void dup_conv_handle (path_conv& pc)
   {
     conv_handle.close ();
     conv_handle.dup (pc.conv_handle);
   }

Ken