[Patch] Fixing the PROCESS_DUP_HANDLE security hole.

[Pierre A. Humblet]

At 12:33 PM 12/4/2004 -0500, Christopher Faylor wrote:
>On Sat, Dec 04, 2004 at 11:45:28AM -0500, Pierre A. Humblet wrote:
>>At 12:43 AM 12/4/2004 -0500, Christopher Faylor wrote:
>>>I wrote a simple test case to check this and I don't see it -- on XP.  I
>>>can't easily run Me anymore.  Does the attached program demonstrate this
>>>behavior when you run it?  It should re-exec itself every time you hit
>>>CTRL-C.
>>
>>That test case has no problem, but the attached one does. 
>>Use kill -30 pid
>
>Sigh.  Works fine on XP, AFAICT.

More details
CYGWIN_ME-4.90 hpn5170 1.5.13s(0.116/4/2) 20041125 23:34:52 i686 unknown
unknown Cygwin

I added a printf at the top, showing the current pid and ppid
(attached)

~: ./a
pid 556021 ppid 890585
~: ps | fgrep /A
  36793321       1  556021 4258173975    0  740 12:47:22 /c/HOME/PIERRE/A
~: kill -30 36793321
got signal 30
execing myself
~: pid 36793321 ppid 36793321
~: ps | fgrep /A
  36765717       1  556021 4258201579    0  740 12:47:44 /c/HOME/PIERRE/A

The problem is that the execed process has itself as ppid.
So it forks again.

That must be history by now, but I think it's coming from
 if (!myself->wr_proc_pipe)
 	         {
 	           myself.hProcess = pi.hProcess;
 	           myself.remember ();
 	           wait_for_myself = true;
 	         }
with wr_proc_pipe having been reset to NULL.

Pierre
-------------- next part --------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/signal.h>

void ouch (int sig)
{
  printf ("got signal %d\n", sig);
  return;
}

int
main (int argc, char **argv)
{
  printf("pid %d ppid %d\n", getpid(), getppid());
  if (getppid() != 1 && fork())
    exit(0);
  signal (SIGUSR1, ouch);
  while (pause ())
    {
      puts ("execing myself");
      execv (argv[0], argv);
    }
  exit (0);
}