-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
load_file_data: do not close fd on error to avoid double-close #558
Conversation
This doesn't seem like a practical problem: we don't open any other fds between the first close() and the second, and bubblewrap is single-threaded (so there is no other thread opening fds), so the second close() will deterministically fail with |
Please could you update the commit message to mention that this isn't a practical problem, and not include several pages of gcc output? |
load_file_data() closes the passed file descriptor in case of an read(2) failure. The file descriptor is however owned by the caller and should not be closed to avoid a double-close. Since in this error branch NULL is always returned the only affected caller is load_file_data(), as all other callers immediately abort via die_with_error(). As bubblewrap is single-threaded the second close(2) in load_file_data() will be well-defined and fail with EBADF, leading to no unrelated file descriptor to be closed Found by GCC analyzer: ./utils.c: In function ‘load_file_at’: ./utils.c:630:3: warning: double ‘close’ of file descriptor ‘fd’ [CWE-1341] [-Wanalyzer-fd-double-close] 630 | close (fd); | ^~~~~~~~~~ ... | 596 | close (fd); | | ~~~~~~~~~~ | | | | | (15) first ‘close’ here ... | 630 | close (fd); | | ~~~~~~~~~~ | | | | | (20) second ‘close’ here; first ‘close’ was at (15) Signed-off-by: Christian Göttsche <[email protected]>
* `--symlink` is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (containers/bubblewrap#549, flatpak#2387, flatpak#3477, flatpak#5255) * Report a better error message if `mount(2)` fails with `ENOSPC` (containers/bubblewrap#615, ValveSoftware/steam-runtime#637) * Fix a double-close on error reading from `--args`, `--seccomp` or `--add-seccomp-fd` argument (containers/bubblewrap#558) * Improve memory allocation behaviour (containers/bubblewrap#556, containers/bubblewrap#624) * Silence various compiler warnings (containers/bubblewrap#559) Resolves: flatpak#2387 Resolves: flatpak#3477 Resolves: flatpak#5255 Signed-off-by: Simon McVittie <[email protected]>
* `--symlink` is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (containers/bubblewrap#549, #2387, #3477, #5255) * Report a better error message if `mount(2)` fails with `ENOSPC` (containers/bubblewrap#615, ValveSoftware/steam-runtime#637) * Fix a double-close on error reading from `--args`, `--seccomp` or `--add-seccomp-fd` argument (containers/bubblewrap#558) * Improve memory allocation behaviour (containers/bubblewrap#556, containers/bubblewrap#624) * Silence various compiler warnings (containers/bubblewrap#559) Resolves: #2387 Resolves: #3477 Resolves: #5255 Signed-off-by: Simon McVittie <[email protected]>
* `--symlink` is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (containers/bubblewrap#549, flatpak#2387, flatpak#3477, flatpak#5255) * Report a better error message if `mount(2)` fails with `ENOSPC` (containers/bubblewrap#615, ValveSoftware/steam-runtime#637) * Fix a double-close on error reading from `--args`, `--seccomp` or `--add-seccomp-fd` argument (containers/bubblewrap#558) * Improve memory allocation behaviour (containers/bubblewrap#556, containers/bubblewrap#624) * Silence various compiler warnings (containers/bubblewrap#559) Resolves: flatpak#2387 Resolves: flatpak#3477 Resolves: flatpak#5255 Signed-off-by: Simon McVittie <[email protected]>
load_file_at() is affected in the error case, since all other current callers call die_with_error() before closing the passed file descriptor.
Found by GCC analyzer: