[newlib-cygwin] Cygwin: execve: reduce parent handle to non-inheritable SYNCHRONIZE

Tue Jan 29 19:38:00 GMT 2019

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=4d738e0f62403c3f1b082abf927aab00056230c5

commit 4d738e0f62403c3f1b082abf927aab00056230c5
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Tue Jan 29 20:37:00 2019 +0100

    Cygwin: execve: reduce parent handle to non-inheritable SYNCHRONIZE
    
    Keeping an inheritable handle open results in that handle being
    spilled over into grandchild processes, which is not desired.
    Duplicate original parent handle into a non-inheritable one with
    minimal SYNCHRONIZE permissions and close the original handle.
    
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/cygwin/dcrt0.cc   | 30 +++++++++++++++++++++++-------
 winsup/cygwin/sigproc.cc |  3 ++-
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/winsup/cygwin/dcrt0.cc b/winsup/cygwin/dcrt0.cc
index 6b564dc..463df31 100644
--- a/winsup/cygwin/dcrt0.cc
+++ b/winsup/cygwin/dcrt0.cc
@@ -685,14 +685,30 @@ child_info_spawn::handle_spawn ()
 
   ready (true);
 
-  /* Keep pointer to parent open if we've execed so that pid will not be reused.
-     Otherwise, we no longer need this handle so close it.
-     Need to do this after debug_fixup_after_fork_exec or DEBUGGING handling of
-     handles might get confused. */
-  if (type != _CH_EXEC && child_proc_info->parent)
+  if (child_proc_info->parent)
     {
-      CloseHandle (child_proc_info->parent);
-      child_proc_info->parent = NULL;
+      if (type == _CH_EXEC)
+	{
+	  /* Keep pointer to parent open if we've execed so that pid will not be
+	     reused.  Try to Urther reduce permissions. */
+	  HANDLE new_parent;
+
+	  if (DuplicateHandle (GetCurrentProcess (), child_proc_info->parent,
+			       GetCurrentProcess (), &new_parent,
+			       SYNCHRONIZE, FALSE, 0))
+	    {
+	      CloseHandle (child_proc_info->parent);
+	      child_proc_info->parent = new_parent;
+	    }
+	}
+      else
+	{
+	  /* Otherwise, we no longer need this handle so close it.  Need to do
+	     this after debug_fixup_after_fork_exec or DEBUGGING handling of
+	     handles might get confused. */
+	  CloseHandle (child_proc_info->parent);
+	  child_proc_info->parent = NULL;
+	}
     }
 
   signal_fixup_after_exec ();
diff --git a/winsup/cygwin/sigproc.cc b/winsup/cygwin/sigproc.cc
index 42eeb30..080fe58 100644
--- a/winsup/cygwin/sigproc.cc
+++ b/winsup/cygwin/sigproc.cc
@@ -814,7 +814,8 @@ child_info::child_info (unsigned in_cb, child_info_types chtype,
      allow the child to copy cygheap etc. from the parent to itself.  If
      we're forking, we also need handle duplicate access. */
   parent = NULL;
-  DWORD perms = PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ;
+  DWORD perms = PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ
+		| SYNCHRONIZE;
   if (type == _CH_FORK)
     {
       perms |= PROCESS_DUP_HANDLE;

