Bug 31695 - pidfd_spawn/pidfd_spawnp leak an fd if clone3 succeeds but execve fails
Summary: pidfd_spawn/pidfd_spawnp leak an fd if clone3 succeeds but execve fails
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.39
: P2 normal
Target Milestone: 2.40
Assignee: Adhemerval Zanella
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-02 17:45 UTC by Peter Cawley
Modified: 2024-06-25 16:49 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2024-05-03 00:00:00
fweimer: security?

Attachments
test.c (240 bytes, text/plain)
2024-05-02 17:45 UTC, Peter Cawley 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Cawley 2024-05-02 17:45:15 UTC 
Created attachment 15483 [details]
test.c

The pidfd_spawn / pidfd_spawnp functions introduced as part of BZ#30349 will allocate an fd as part of the clone3 call, but only return that fd to their caller if the execve in the child succeeds. If the execve in the child fails, then pidfd_spawn / pidfd_spawnp will reap the child and return an appropriate error code to their caller. This error handling path currently forgets to close the fd, resulting in an fd leak.

Trivial test program attached that makes a number of pidfd_spawnp calls, prints the returned error code and returned pidfd, and then lists the contents of /proc/self/fd. The returned error code is correct (ENOENT), and no pidfd is returned, but then the listing step reports a bunch of leaked pidfds floating around.
Comment 1 Adhemerval Zanella 2024-05-06 12:27:40 UTC 
I am working a patch to fix it, thanks to bring this up.
Comment 2 Adhemerval Zanella 2024-06-25 16:49:08 UTC 
Fixed on 2.40.