Skip Menu |
 

This queue is for tickets about the Proc-ProcessTable CPAN distribution.

Report information
The Basics
Id: 110842
Status: resolved
Priority: 0/
Queue: Proc-ProcessTable

People
Owner: Nobody in particular
Requestors: SREZIC [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: 0.53
Fixed in: (no value)



Subject: Race condition in ttydevsfile cache creation
Download (untitled) / with headers
text/plain 1.3k
The following perl script is likely to exhibit a race condition: #!/usr/bin/perl -w use strict; use Proc::ProcessTable; unlink $Proc::ProcessTable::TTYDEVSFILE; if (fork == 0) { my $p = Proc::ProcessTable->new(cache_ttys => 1); warn "ok $$"; } else { my $p = Proc::ProcessTable->new(cache_ttys => 1); warn "ok $$"; } __END__ Running this script often shows output like this: $ perl proc-processtable-race-min.pl /tmp/TTYDEVS_12345678 was created by other process at /opt/perl-5.20.1/lib/site_perl/5.20.1/x86_64-linux/Proc/ProcessTable.pm line 117. ok 11416 at /tmp/proc-processtable-race-min.pl line 9. ... which means that one of the two processes died. There's another possible race that is more difficult to exploit: the 2nd process could start reading an unfinished Storable file. This would show up as the following error: Magic number checking on storable file failed at /usr/perl5.22.1sp/lib/5.22.1/amd64-freebsd/Storable.pm line 383, at proc-proctable-race.pl line 26. (To see this problem, one has to put some sleep() statements in the code). A suggestion to fix these races: if the cache file does not exist, then write first to a temporary file (no O_EXCL etc. needed here) and then do a atomic rename. If this rename fails because another process was faster, then don't die. I can create a pull request if you agree on this change.
Download (untitled) / with headers
text/plain 1.6k
Am Sa 02. Jan 2016, 05:51:47, SREZIC schrieb: Show quoted text
> The following perl script is likely to exhibit a race condition: > > #!/usr/bin/perl -w > use strict; > use Proc::ProcessTable; > > unlink $Proc::ProcessTable::TTYDEVSFILE; > if (fork == 0) { > my $p = Proc::ProcessTable->new(cache_ttys => 1); > warn "ok $$"; > } else { > my $p = Proc::ProcessTable->new(cache_ttys => 1); > warn "ok $$"; > } > __END__ > > Running this script often shows output like this: > > $ perl proc-processtable-race-min.pl > /tmp/TTYDEVS_12345678 was created by other process at /opt/perl- > 5.20.1/lib/site_perl/5.20.1/x86_64-linux/Proc/ProcessTable.pm line > 117. > ok 11416 at /tmp/proc-processtable-race-min.pl line 9. > > ... which means that one of the two processes died. > > There's another possible race that is more difficult to exploit: the > 2nd process could start reading an unfinished Storable file. This > would show up as the following error: > > Magic number checking on storable file failed at > /usr/perl5.22.1sp/lib/5.22.1/amd64-freebsd/Storable.pm line 383, at > proc-proctable-race.pl line 26. > > (To see this problem, one has to put some sleep() statements in the > code). > > A suggestion to fix these races: if the cache file does not exist, > then write first to a temporary file (no O_EXCL etc. needed here) and > then do a atomic rename. If this rename fails because another process > was faster, then don't die. I can create a pull request if you agree > on this change.
I wonder if this has any other security implications, in particular I think of https://rt.cpan.org/Public/Bug/Display.html?id=72862 . I would say no, therefore I would welcome a pull request. Best, Joachim
I think it is obsolete, but if there is still an issue with it, we can reactivate it.
Download (untitled) / with headers
text/plain 226b
On 2017-02-22 08:01:05, jwb wrote: Show quoted text
> I think it is obsolete, but if there is still an issue with it, we can > reactivate it.
The issue was opened against 0.53, the latest CPAN release, so I cannot see how it can be obsolete.
Download (untitled) / with headers
text/plain 345b
On 2017-02-22 18:33:21, SREZIC wrote: Show quoted text
> On 2017-02-22 08:01:05, jwb wrote:
> > I think it is obsolete, but if there is still an issue with it, we > > can > > reactivate it.
> > The issue was opened against 0.53, the latest CPAN release, so I > cannot see how it can be obsolete.
https://github.com/jwbargsten/perl-proc-processtable/pull/18
Thanks a lot!


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.