···
1
+
From 918bfff86ca8d6d4e4ec5b30994451e0bd74aba9 Mon Sep 17 00:00:00 2001
2
+
From: Leon Timmermans <fawaka@gmail.com>
3
+
Date: Fri, 23 May 2025 15:40:41 +0200
4
+
Subject: [PATCH] CVE-2025-40909: Clone dirhandles without fchdir
6
+
This uses fdopendir and dup to dirhandles. This means it won't change
7
+
working directory during thread cloning, which prevents race conditions
8
+
that can happen if a third thread is active at the same time.
11
+
Cross/config.sh-arm-linux | 1 +
12
+
Cross/config.sh-arm-linux-n770 | 1 +
13
+
Porting/Glossary | 5 ++
14
+
Porting/config.sh | 1 +
17
+
plan9/config_sh.sample | 1 +
18
+
sv.c | 91 +----------------------------
19
+
t/op/threads-dirh.t | 104 +--------------------------------
20
+
win32/config.gc | 1 +
21
+
win32/config.vc | 1 +
22
+
12 files changed, 28 insertions(+), 191 deletions(-)
24
+
diff --git a/Configure b/Configure
25
+
index 44c12ced4014..7a13249caa96 100755
28
+
@@ -478,6 +478,7 @@ d_fd_set=''
36
+
@@ -13344,6 +13345,10 @@ esac
40
+
+: see if fdopendir exists
41
+
+set fdopendir d_fdopendir
44
+
: see if fork exists
47
+
@@ -25052,6 +25057,7 @@ d_flockproto='$d_flockproto'
51
+
+d_fdopendir='$d_fdopendir'
53
+
d_fp_class='$d_fp_class'
54
+
d_fp_classify='$d_fp_classify'
55
+
diff --git a/Cross/config.sh-arm-linux b/Cross/config.sh-arm-linux
56
+
index bfa0b00d5f0f..9e056539198b 100644
57
+
--- a/Cross/config.sh-arm-linux
58
+
+++ b/Cross/config.sh-arm-linux
59
+
@@ -212,6 +212,7 @@ d_fd_macros='define'
65
+
d_fegetround='define'
67
+
diff --git a/Cross/config.sh-arm-linux-n770 b/Cross/config.sh-arm-linux-n770
68
+
index 47ad5c37e3fd..365e4c4f9671 100644
69
+
--- a/Cross/config.sh-arm-linux-n770
70
+
+++ b/Cross/config.sh-arm-linux-n770
71
+
@@ -211,6 +211,7 @@ d_fd_macros='define'
77
+
d_fegetround='define'
79
+
diff --git a/Porting/Glossary b/Porting/Glossary
80
+
index bb505c653b0b..8b2965ca99c6 100644
81
+
--- a/Porting/Glossary
82
+
+++ b/Porting/Glossary
83
+
@@ -947,6 +947,11 @@ d_fmin (d_fmin.U):
84
+
This variable conditionally defines the HAS_FMIN symbol, which
85
+
indicates to the C program that the fmin() routine is available.
87
+
+d_fdopendir (d_fdopendir.U):
88
+
+ This variable conditionally defines the HAS_FORK symbol, which
89
+
+ indicates that the fdopen routine is available to open a
90
+
+ directory descriptor.
93
+
This variable conditionally defines the HAS_FORK symbol, which
94
+
indicates to the C program that the fork() routine is available.
95
+
diff --git a/Porting/config.sh b/Porting/config.sh
96
+
index a921f7e1c79a..6231ea0f31ea 100644
97
+
--- a/Porting/config.sh
98
+
+++ b/Porting/config.sh
99
+
@@ -223,6 +223,7 @@ d_fd_macros='define'
103
+
+d_fdopendir='define'
104
+
d_fds_bits='define'
105
+
d_fegetround='define'
107
+
diff --git a/config_h.SH b/config_h.SH
108
+
index da0f2dbcd7b7..5a0f81cf2011 100755
111
+
@@ -142,6 +142,12 @@ sed <<!GROK!THIS! >$CONFIG_H -e 's!^#undef\(.*/\)\*!/\*#define\1 \*!' -e 's!^#un
113
+
#$d_fcntl HAS_FCNTL /**/
116
+
+ * This symbol, if defined, indicates that the fdopen routine is
117
+
+ * available to open a directory descriptor.
119
+
+#$d_fdopendir HAS_FDOPENDIR /**/
122
+
* This symbol, if defined, indicates that the fgetpos routine is
123
+
* available to get the file position indicator, similar to ftell().
124
+
diff --git a/configure.com b/configure.com
125
+
index 99527c180bfc..7c38711bb85d 100644
126
+
--- a/configure.com
127
+
+++ b/configure.com
128
+
@@ -6010,6 +6010,7 @@ $ WC "d_fd_set='" + d_fd_set + "'"
129
+
$ WC "d_fd_macros='define'"
130
+
$ WC "d_fdclose='undef'"
131
+
$ WC "d_fdim='" + d_fdim + "'"
132
+
+$ WC "d_fdopendir='undef'"
133
+
$ WC "d_fds_bits='define'"
134
+
$ WC "d_fegetround='undef'"
135
+
$ WC "d_ffs='undef'"
136
+
diff --git a/plan9/config_sh.sample b/plan9/config_sh.sample
137
+
index 636acbdf6db3..246bad954424 100644
138
+
--- a/plan9/config_sh.sample
139
+
+++ b/plan9/config_sh.sample
140
+
@@ -212,6 +212,7 @@ d_fd_macros='undef'
146
+
d_fegetround='undef'
148
+
diff --git a/sv.c b/sv.c
149
+
index ae6d09dea28a..8a005b2d165b 100644
152
+
@@ -14096,15 +14096,6 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE_PARAMS *const param)
156
+
-#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR)
158
+
- const Direntry_t *dirent;
159
+
- char smallbuf[256]; /* XXX MAXPATHLEN, surely? */
160
+
- char *name = NULL;
165
+
PERL_UNUSED_CONTEXT;
166
+
PERL_ARGS_ASSERT_DIRP_DUP;
168
+
@@ -14116,89 +14107,13 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE_PARAMS *const param)
172
+
-#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR)
173
+
+#ifdef HAS_FDOPENDIR
175
+
PERL_UNUSED_ARG(param);
177
+
- /* create anew */
179
+
- /* open the current directory (so we can switch back) */
180
+
- if (!(pwd = PerlDir_open("."))) return (DIR *)NULL;
182
+
- /* chdir to our dir handle and open the present working directory */
183
+
- if (fchdir(my_dirfd(dp)) < 0 || !(ret = PerlDir_open("."))) {
184
+
- PerlDir_close(pwd);
185
+
- return (DIR *)NULL;
187
+
- /* Now we should have two dir handles pointing to the same dir. */
189
+
- /* Be nice to the calling code and chdir back to where we were. */
190
+
- /* XXX If this fails, then what? */
191
+
- PERL_UNUSED_RESULT(fchdir(my_dirfd(pwd)));
192
+
+ ret = fdopendir(dup(my_dirfd(dp)));
194
+
- /* We have no need of the pwd handle any more. */
195
+
- PerlDir_close(pwd);
198
+
-# define d_namlen(d) (d)->d_namlen
200
+
-# define d_namlen(d) strlen((d)->d_name)
202
+
- /* Iterate once through dp, to get the file name at the current posi-
203
+
- tion. Then step back. */
204
+
- pos = PerlDir_tell(dp);
205
+
- if ((dirent = PerlDir_read(dp))) {
206
+
- len = d_namlen(dirent);
207
+
- if (len > sizeof(dirent->d_name) && sizeof(dirent->d_name) > PTRSIZE) {
208
+
- /* If the len is somehow magically longer than the
209
+
- * maximum length of the directory entry, even though
210
+
- * we could fit it in a buffer, we could not copy it
211
+
- * from the dirent. Bail out. */
212
+
- PerlDir_close(ret);
213
+
- return (DIR*)NULL;
215
+
- if (len <= sizeof smallbuf) name = smallbuf;
216
+
- else Newx(name, len, char);
217
+
- Move(dirent->d_name, name, len, char);
219
+
- PerlDir_seek(dp, pos);
221
+
- /* Iterate through the new dir handle, till we find a file with the
223
+
- if (!dirent) /* just before the end */
225
+
- pos = PerlDir_tell(ret);
226
+
- if (PerlDir_read(ret)) continue; /* not there yet */
227
+
- PerlDir_seek(ret, pos); /* step back */
231
+
- const long pos0 = PerlDir_tell(ret);
233
+
- pos = PerlDir_tell(ret);
234
+
- if ((dirent = PerlDir_read(ret))) {
235
+
- if (len == (STRLEN)d_namlen(dirent)
236
+
- && memEQ(name, dirent->d_name, len)) {
238
+
- PerlDir_seek(ret, pos); /* step back */
241
+
- /* else we are not there yet; keep iterating */
243
+
- else { /* This is not meant to happen. The best we can do is
244
+
- reset the iterator to the beginning. */
245
+
- PerlDir_seek(ret, pos0);
252
+
- if (name && name != smallbuf)
257
+
+#elif defined(WIN32)
258
+
ret = win32_dirp_dup(dp, param);
261
+
diff --git a/t/op/threads-dirh.t b/t/op/threads-dirh.t
262
+
index bb4bcfc14184..14c399ca19cd 100644
263
+
--- a/t/op/threads-dirh.t
264
+
+++ b/t/op/threads-dirh.t
265
+
@@ -13,16 +13,12 @@ BEGIN {
266
+
skip_all_if_miniperl("no dynamic loading on miniperl, no threads");
267
+
skip_all("runs out of memory on some EBCDIC") if $ENV{PERL_SKIP_BIG_MEM_TESTS};
276
+
-use threads::shared;
278
+
-use File::Spec::Functions qw 'updir catdir';
281
+
# Basic sanity check: make sure this does not crash
282
+
fresh_perl_is <<'# this is no comment', 'ok', {}, 'crash when duping dirh';
283
+
@@ -31,101 +27,3 @@ fresh_perl_is <<'# this is no comment', 'ok', {}, 'crash when duping dirh';
284
+
async{}->join for 1..2;
286
+
# this is no comment
290
+
- skip "telldir or seekdir not defined on this platform", 5
291
+
- if !$Config::Config{d_telldir} || !$Config::Config{d_seekdir};
298
+
- if(!$Config::Config{d_fchdir} && $^O ne "MSWin32") {
299
+
- $::TODO = 'dir handle cloning currently requires fchdir on non-Windows platforms';
302
+
- my @w :shared; # warnings accumulator
303
+
- local $SIG{__WARN__} = sub { push @w, $_[0] };
305
+
- $dir = catdir getcwd(), "thrext$$" . int rand() * 100000;
307
+
- rmtree($dir) if -d $dir;
310
+
- # Create a dir structure like this:
322
+
- mkdir 'toberead';
323
+
- chdir 'toberead';
324
+
- {open my $fh, ">thrit" or &$skip("Cannot create file thrit")}
325
+
- {open my $fh, ">rile" or &$skip("Cannot create file rile")}
326
+
- {open my $fh, ">zor" or &$skip("Cannot create file zor")}
329
+
- # Then test that dir iterators are cloned correctly.
331
+
- opendir my $toberead, 'toberead';
332
+
- my $start_pos = telldir $toberead;
333
+
- my @first_2 = (scalar readdir $toberead, scalar readdir $toberead);
334
+
- my @from_thread = @{; async { [readdir $toberead ] } ->join };
335
+
- my @from_main = readdir $toberead;
336
+
- is join('-', sort @from_thread), join('-', sort @from_main),
337
+
- 'dir iterator is copied from one thread to another';
339
+
- join('-', "", sort(@first_2, @from_thread), ""),
340
+
- qr/(?<!-rile)-rile-thrit-zor-(?!zor-)/i,
341
+
- 'cloned iterator iterates exactly once over everything not already seen';
343
+
- seekdir $toberead, $start_pos;
344
+
- readdir $toberead for 1 .. @first_2+@from_thread;
346
+
- local $::TODO; # This always passes when dir handles are not cloned.
348
+
- async { readdir $toberead // 'undef' } ->join, 'undef',
349
+
- 'cloned dir iterator that points to the end of the directory'
353
+
- # Make sure the cloning code can handle file names longer than 255 chars
355
+
- chdir 'toberead';
357
+
- ">floccipaucinihilopilification-"
358
+
- . "pneumonoultramicroscopicsilicovolcanoconiosis-"
359
+
- . "lopadotemachoselachogaleokranioleipsanodrimypotrimmatosilphiokarabo"
360
+
- . "melitokatakechymenokichlepikossyphophattoperisteralektryonoptokephal"
361
+
- . "liokinklopeleiolagoiosiraiobaphetraganopterygon"
364
+
- skip("OS does not support long file names (and I mean *long*)", 1);
366
+
- opendir my $dirh, "toberead";
368
+
- = "dir iterators can be cloned when the next fn > 255 chars";
370
+
- my $pos = telldir $dirh;
371
+
- my $fn = readdir($dirh);
372
+
- if(!defined $fn) { fail($test_name); last SKIP; }
373
+
- if($fn =~ 'lagoio') {
374
+
- seekdir $dirh, $pos;
378
+
- is length async { scalar readdir $dirh } ->join, 258, $test_name;
381
+
- is scalar @w, 0, 'no warnings during all that' or diag @w;
385
+
diff --git a/win32/config.gc b/win32/config.gc
386
+
index f8776188c09c..34aa8de6ed75 100644
387
+
--- a/win32/config.gc
388
+
+++ b/win32/config.gc
389
+
@@ -199,6 +199,7 @@ d_fd_macros='define'
393
+
+d_fdopendir='undef'
394
+
d_fds_bits='define'
395
+
d_fegetround='undef'
397
+
diff --git a/win32/config.vc b/win32/config.vc
398
+
index 619979e22b53..536085fe94e0 100644
399
+
--- a/win32/config.vc
400
+
+++ b/win32/config.vc
401
+
@@ -199,6 +199,7 @@ d_fd_macros='define'
405
+
+d_fdopendir='undef'
406
+
d_fds_bits='define'
407
+
d_fegetround='undef'
pyrox.dev