From unknown Fri Jun 20 07:11:56 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#11100 <11100@debbugs.gnu.org> To: bug#11100 <11100@debbugs.gnu.org> Subject: Status: Racy code in copy.c Reply-To: bug#11100 <11100@debbugs.gnu.org> Date: Fri, 20 Jun 2025 14:11:56 +0000 retitle 11100 Racy code in copy.c reassign 11100 coreutils submitter 11100 Philipp Thomas severity 11100 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 27 09:31:07 2012 Received: (at submit) by debbugs.gnu.org; 27 Mar 2012 13:31:07 +0000 Received: from localhost ([127.0.0.1]:40849 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCWUC-0004bw-3n for submit@debbugs.gnu.org; Tue, 27 Mar 2012 09:31:01 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45789) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCWTA-0004Zz-Rl for submit@debbugs.gnu.org; Tue, 27 Mar 2012 09:30:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SCVyp-0002DT-9O for submit@debbugs.gnu.org; Tue, 27 Mar 2012 08:58:37 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.2 Received: from lists.gnu.org ([208.118.235.17]:49710) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SCVyp-0002DH-5s for submit@debbugs.gnu.org; Tue, 27 Mar 2012 08:58:31 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58622) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SCVyj-0005o2-1V for bug-coreutils@gnu.org; Tue, 27 Mar 2012 08:58:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SCVyd-0002BW-Na for bug-coreutils@gnu.org; Tue, 27 Mar 2012 08:58:24 -0400 Received: from cantor2.suse.de ([195.135.220.15]:57985 helo=mx2.suse.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SCVyd-0002BQ-HB for bug-coreutils@gnu.org; Tue, 27 Mar 2012 08:58:19 -0400 Received: from relay1.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id 1C2C28C061 for ; Tue, 27 Mar 2012 14:58:18 +0200 (CEST) Date: Tue, 27 Mar 2012 14:58:18 +0200 From: Philipp Thomas To: bug-coreutils@gnu.org Subject: Racy code in copy.c Message-ID: <20120327125817.GC12979@paradies.suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: openSUSE - Kernel Linux 3.3.0-1-desktop x86_64 Organization: SUSE LINUX Products GmbH, =?iso-8859-1?Q?G?= =?iso-8859-1?Q?F=3A_Jeff_Hawn=2C_Jennifer_Guild=2C_Felix_Imend=F6rffer=2C?= =?iso-8859-1?Q?_HRB_21284_=28AG_N=FCrnberg=29?= User-Agent: Mutt/1.5.21 (2010-09-15) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4-2.6 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 208.118.235.17 X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: submit Cc: Neil F Brown X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) I'd like to pass on observations from my collegue Neil Brown: in src/copy.c, copy_reg() is passed "bool *new_dst". This is 'false' if the file already exists, in which case it attempts to open the file with O_WRONLY | O_TRUNC | O_BINARY. If it is 'true', only then does it use O_CREAT (and others). Somewhere up the call chain - I'm not sure where - new_dst is set if 'stat' on the file succeeds. The above mentioned code assumes that the file still exists. This is racy - particularly for NFS where deletions from other clients can take a while to appear. Philipp From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 27 10:12:03 2012 Received: (at 11100) by debbugs.gnu.org; 27 Mar 2012 14:12:03 +0000 Received: from localhost ([127.0.0.1]:41301 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCX7w-0005eY-J8 for submit@debbugs.gnu.org; Tue, 27 Mar 2012 10:12:02 -0400 Received: from mx.meyering.net ([88.168.87.75]:33402) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCX7f-0005eA-Ba for 11100@debbugs.gnu.org; Tue, 27 Mar 2012 10:11:59 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 0EFD6600ED; Tue, 27 Mar 2012 15:40:26 +0200 (CEST) From: Jim Meyering To: Philipp Thomas Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <20120327125817.GC12979@paradies.suse.de> (Philipp Thomas's message of "Tue, 27 Mar 2012 14:58:18 +0200") References: <20120327125817.GC12979@paradies.suse.de> Date: Tue, 27 Mar 2012 15:40:25 +0200 Message-ID: <87fwcuw4ae.fsf@rho.meyering.net> Lines: 79 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org, Neil F Brown X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Philipp Thomas wrote: > I'd like to pass on observations from my collegue Neil Brown: > > in src/copy.c, copy_reg() is passed "bool *new_dst". > > This is 'false' if the file already exists, in which case it attempts to > open the file with O_WRONLY | O_TRUNC | O_BINARY. > If it is 'true', only then does it use O_CREAT (and others). > > Somewhere up the call chain - I'm not sure where - new_dst is set if 'stat' > on the file succeeds. The above mentioned code assumes that the file still > exists. This is racy - particularly for NFS where deletions from other > clients can take a while to appear. Thanks for the report. However, much of what cp does is mandated by the POSIX spec, including that inevitable-looking (POSIX-mandated) TOCTOU race. Here's part of that spec, from http://pubs.opengroup.org/onlinepubs/9699919799/utilities/cp.html: For each source_file, the following steps shall be taken: ... If source_file is of type directory, the following steps shall be taken: ... If source_file is of type regular file, the following steps shall be taken: The behavior is unspecified if dest_file exists and was written by a previous step. Otherwise, if dest_file exists, the following steps shall be taken: If the -i option is in effect, the cp utility shall write a prompt to the standard error and read a line from the standard input. If the response is not affirmative, cp shall do nothing more with source_file and go on to any remaining files. A file descriptor for dest_file shall be obtained by performing actions equivalent to the open() function defined in the System Interfaces volume of POSIX.1-2008 called using dest_file as the path argument, and the bitwise-inclusive OR of O_WRONLY and O_TRUNC as the oflag argument. If the attempt to obtain a file descriptor fails and the -f option is in effect, cp shall attempt to remove the file by performing actions equivalent to the unlink() function defined in the System Interfaces volume of POSIX.1-2008 called using dest_file as the path argument. If this attempt succeeds, cp shall continue with step 3b. If dest_file does not exist, a file descriptor shall be obtained by performing actions equivalent to the open() function defined in the System Interfaces volume of POSIX.1-2008 called using dest_file as the path argument, and the bitwise-inclusive OR of O_WRONLY and O_CREAT as the oflag argument. The file permission bits of source_file shall be the mode argument. If the attempt to obtain a file descriptor fails, cp shall write a diagnostic message to standard error, do nothing more with source_file, and go on to any remaining files. The contents of source_file shall be written to the file descriptor. Any write errors shall cause cp to write a diagnostic message to standard error and continue to step 3e. The file descriptor shall be closed. The cp utility shall do nothing more with source_file. If a write error occurred in step 3d, it is unspecified if cp continues with any remaining files. If no write error occurred in step 3d, cp shall go on to any remaining files. If you can find a way to make cp work sensibly in your specific case, yet without impacting any other use case, please let us know. From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 27 10:34:40 2012 Received: (at 11100) by debbugs.gnu.org; 27 Mar 2012 14:34:40 +0000 Received: from localhost ([127.0.0.1]:41330 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCXTr-0006Bf-3s for submit@debbugs.gnu.org; Tue, 27 Mar 2012 10:34:40 -0400 Received: from cantor2.suse.de ([195.135.220.15]:35721 helo=mx2.suse.de) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCXTa-0006BB-Jv for 11100@debbugs.gnu.org; Tue, 27 Mar 2012 10:34:37 -0400 Received: from relay1.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id C785E8FFEB; Tue, 27 Mar 2012 16:03:05 +0200 (CEST) Date: Tue, 27 Mar 2012 16:03:05 +0200 From: Philipp Thomas To: Jim Meyering Subject: Re: bug#11100: Racy code in copy.c Message-ID: <20120327140305.GD12979@paradies.suse.de> References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87fwcuw4ae.fsf@rho.meyering.net> X-Operating-System: openSUSE - Kernel Linux 3.3.0-1-desktop x86_64 Organization: SUSE LINUX Products GmbH, =?iso-8859-1?Q?G?= =?iso-8859-1?Q?F=3A_Jeff_Hawn=2C_Jennifer_Guild=2C_Felix_Imend=F6rffer=2C?= =?iso-8859-1?Q?_HRB_21284_=28AG_N=FCrnberg=29?= User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org, Neil F Brown X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) Hi Jim, * Jim Meyering (jim@meyering.net) [20120327 15:40]: > If you can find a way to make cp work sensibly in your specific case, > yet without impacting any other use case, please let us know. Thanks for the clarification! In that light though I doubt there is a way :( Philipp From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 27 10:41:14 2012 Received: (at 11100) by debbugs.gnu.org; 27 Mar 2012 14:41:14 +0000 Received: from localhost ([127.0.0.1]:41335 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCXaC-0006Ku-4K for submit@debbugs.gnu.org; Tue, 27 Mar 2012 10:41:13 -0400 Received: from mail2.vodafone.ie ([213.233.128.44]:46898) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCXZv-0006KE-3T for 11100@debbugs.gnu.org; Tue, 27 Mar 2012 10:41:10 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AsoBAETJcU9tTcB6/2dsb2JhbAANMga1OYYWAQEBBDIBRhALDQEKCRYPCQMCAQIBRQYNAQcBAcI1inGGHgSbco0E Received: from unknown (HELO [192.168.1.79]) ([109.77.192.122]) by mail2.vodafone.ie with ESMTP; 27 Mar 2012 15:09:37 +0100 Message-ID: <4F71CA21.9020709@draigBrady.com> Date: Tue, 27 Mar 2012 15:09:37 +0100 From: =?ISO-8859-1?Q?P=E1draig_Brady?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110816 Thunderbird/6.0 MIME-Version: 1.0 To: Philipp Thomas Subject: Re: bug#11100: Racy code in copy.c References: <20120327125817.GC12979@paradies.suse.de> In-Reply-To: <20120327125817.GC12979@paradies.suse.de> X-Enigmail-Version: 1.3.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org, Neil F Brown X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) On 03/27/2012 01:58 PM, Philipp Thomas wrote: > I'd like to pass on observations from my collegue Neil Brown: > > in src/copy.c, copy_reg() is passed "bool *new_dst". > > This is 'false' if the file already exists, in which case it attempts to > open the file with O_WRONLY | O_TRUNC | O_BINARY. > If it is 'true', only then does it use O_CREAT (and others). > > Somewhere up the call chain - I'm not sure where - new_dst is set if 'stat' > on the file succeeds. The above mentioned code assumes that the file still > exists. This is racy - particularly for NFS where deletions from other > clients can take a while to appear. True. That would result in: "cannot create regular file ...": ENOENT or if -f was specified a more confusing: "cannot remove ...": ENOENT You could patch to avoid that edge case, but handling dangling symlinks would complicate things. It's borderline whether this is warranted. Note the opposite case where a file is created between the stat() and the creat() would result in: "cannot create regular file ...": EEXIST even if -f was specified. Note on NFS < 3 O_EXCL is not supported so this condition won't be flagged at all. Note also handling of this case would need to honor the --no-clobber option(s). Again awkward for an unusual edge case. I suppose some comments would be appropriate at least. cheers, Pádraig. From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 27 12:34:50 2012 Received: (at 11100) by debbugs.gnu.org; 27 Mar 2012 16:34:50 +0000 Received: from localhost ([127.0.0.1]:41503 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCZM9-0000aR-J4 for submit@debbugs.gnu.org; Tue, 27 Mar 2012 12:34:50 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:34092) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCZM7-0000aJ-Dm for 11100@debbugs.gnu.org; Tue, 27 Mar 2012 12:34:48 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id EA529A60001; Tue, 27 Mar 2012 09:03:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ovwrEE7+AYtB; Tue, 27 Mar 2012 09:03:30 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 38E59A60002; Tue, 27 Mar 2012 09:03:30 -0700 (PDT) Message-ID: <4F71E4D2.4060907@cs.ucla.edu> Date: Tue, 27 Mar 2012 09:03:30 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120310 Thunderbird/11.0 MIME-Version: 1.0 To: Philipp Thomas Subject: Re: bug#11100: Racy code in copy.c References: <20120327125817.GC12979@paradies.suse.de> In-Reply-To: <20120327125817.GC12979@paradies.suse.de> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org, Neil F Brown X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) On 03/27/2012 05:58 AM, Philipp Thomas wrote: > The above mentioned code assumes that the file still > exists. This is racy - particularly for NFS where deletions from other > clients can take a while to appear. *NEW_DST is a bit more complicated than that. At least for part of the code it means the file was known not to exist, which is not the same thing as being true if the file does not exist and false otherwise. (Sometimes I think I need to take a course on epistemology to understand this code, which is not a good sign....) In general 'cp' is not and cannot be free from races due to other active processes. A fix could well be needed here, to work around NFS bugs, but it'd need to be thought through in the light of other use cases. From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 27 17:55:06 2012 Received: (at 11100) by debbugs.gnu.org; 27 Mar 2012 21:55:06 +0000 Received: from localhost ([127.0.0.1]:41737 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCeM4-0002wT-HY for submit@debbugs.gnu.org; Tue, 27 Mar 2012 17:55:05 -0400 Received: from cantor2.suse.de ([195.135.220.15]:39400 helo=mx2.suse.de) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCeHh-0002q0-FJ for 11100@debbugs.gnu.org; Tue, 27 Mar 2012 17:51:08 -0400 Received: from relay1.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id 3D7849043F; Tue, 27 Mar 2012 23:19:15 +0200 (CEST) Date: Wed, 28 Mar 2012 08:19:05 +1100 From: NeilBrown To: Jim Meyering Subject: Re: bug#11100: Racy code in copy.c Message-ID: <20120328081905.4b83d593@notabene.brown> In-Reply-To: <87fwcuw4ae.fsf@rho.meyering.net> References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.7; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/hM0Ry/T+zcKEwzFOA.wF.NF"; protocol="application/pgp-signature" X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 X-Mailman-Approved-At: Tue, 27 Mar 2012 17:55:03 -0400 Cc: Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) --Sig_/hM0Ry/T+zcKEwzFOA.wF.NF Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 27 Mar 2012 15:40:25 +0200 Jim Meyering wrote: > Philipp Thomas wrote: > > I'd like to pass on observations from my collegue Neil Brown: > > > > in src/copy.c, copy_reg() is passed "bool *new_dst". > > > > This is 'false' if the file already exists, in which case it attempts to > > open the file with O_WRONLY | O_TRUNC | O_BINARY. > > If it is 'true', only then does it use O_CREAT (and others). > > > > Somewhere up the call chain - I'm not sure where - new_dst is set if 's= tat' > > on the file succeeds. The above mentioned code assumes that the file s= till > > exists. This is racy - particularly for NFS where deletions from other > > clients can take a while to appear. >=20 > Thanks for the report. > However, much of what cp does is mandated by the POSIX spec, including > that inevitable-looking (POSIX-mandated) TOCTOU race. Here's part of that > spec, from http://pubs.opengroup.org/onlinepubs/9699919799/utilities/cp.h= tml: >=20 > For each source_file, the following steps shall be taken: >=20 > ... > If source_file is of type directory, the following steps shall be= taken: >=20 > ... >=20 > If source_file is of type regular file, the following steps > shall be taken: >=20 > The behavior is unspecified if dest_file exists and was > written by a previous step. Otherwise, if dest_file exists, > the following steps shall be taken: >=20 > If the -i option is in effect, the cp utility shall > write a prompt to the standard error and read a line from > the standard input. If the response is not affirmative, > cp shall do nothing more with source_file and go on to > any remaining files. >=20 > A file descriptor for dest_file shall be obtained by > performing actions equivalent to the open() function > defined in the System Interfaces volume of POSIX.1-2008 > called using dest_file as the path argument, and the > bitwise-inclusive OR of O_WRONLY and O_TRUNC as the > oflag argument. >=20 > If the attempt to obtain a file descriptor fails and the > -f option is in effect, cp shall attempt to remove the > file by performing actions equivalent to the unlink() > function defined in the System Interfaces volume > of POSIX.1-2008 called using dest_file as the path > argument. If this attempt succeeds, cp shall continue > with step 3b. >=20 > If dest_file does not exist, a file descriptor shall be > obtained by performing actions equivalent to the open() > function defined in the System Interfaces volume of > POSIX.1-2008 called using dest_file as the path argument, > and the bitwise-inclusive OR of O_WRONLY and O_CREAT as > the oflag argument. The file permission bits of source_file > shall be the mode argument. >=20 > If the attempt to obtain a file descriptor fails, cp shall > write a diagnostic message to standard error, do nothing > more with source_file, and go on to any remaining files. >=20 > The contents of source_file shall be written to the file > descriptor. Any write errors shall cause cp to write a > diagnostic message to standard error and continue to step 3e. >=20 > The file descriptor shall be closed. >=20 > The cp utility shall do nothing more with source_file. If > a write error occurred in step 3d, it is unspecified if > cp continues with any remaining files. If no write error > occurred in step 3d, cp shall go on to any remaining files. >=20 > If you can find a way to make cp work sensibly in your specific case, > yet without impacting any other use case, please let us know. The above doesn't specify how you determine if the dest file exists. You could do this with stat plus open(O_WRONLY). Only try the open on REG files. if ((use_stat - ? stat (dst_name, &dst_sb) + ? (stat (dst_name, &dst_sb) < 0 ? -1 : + (fd =3D open (dst_name, O_WRONLY)) < 0 ? -1 : 0) : lstat (dst_name, &dst_sb)) !=3D 0) If the stat fails, or the open fails with ENOENT, then the file doesn't exist, otherwise assume it does. Keep the file descriptor around (if there is one) and then the "actions equivalent to open() ..." would be if (fd < 0) fd =3D open(pathname, O_WRONLY | O_TRUNC); else ftruncate(fd, 0); I started making a patch - but it got messy quickly. Too many conditional calls to close(). And at over 1000 lines, copy_internal was too big for me to work with :-( NeilBrown --Sig_/hM0Ry/T+zcKEwzFOA.wF.NF Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iQIVAwUBT3IuyTnsnt1WYoG5AQKdTw/7Bji9Ggmylw4tqLC/0SsRzySaMnlOJ7Bw iTT7xP6PsucDJMShBKxxRuD49YVrgWivsxNuqGKUoE6uu1Cbn42FcwzA3ZZh7CiF 5b5L03xB69u+LybyE+Pz29HeY3C8MYVFNA/BiXdCzpvMR+HrUyJrnUR2Kago6JLQ 9PpPoEpeKWCV2fpUkxP6pvGvWujr/LzS3s2+au2OrhsSjkHBkRbDQkmuvSkEs03Y c9huu9Jx1XpbVg76YMPHeqIAYJorcKxw2wpbN/pJknsvf9nMnMx9Blh7YZ140I87 k3g5XZ+g1Rlfn6Tn3cz86Si5cxrTlm1yOwZgfvPt1/Hbz6F3Gow1ak0QyOFLBZSJ HqIQ+BNzMgbJybnTwx2G82OA40y6FbVBi20dpoy8aUuHfW/AVKq9yiSej8Z2T96L zCfz3uPC5l91f3iB4zqzx6mOgd/NBBpwRHif9cvRTlFZBCe56F/hrgNhr/+DDqyM kCzzJAUsaCmZSUKMHKmOwvFzQOi6G787tQJTy4H75N68ZsrtcRrRXyMmuSHUSHqD c4ZmFRUzd8bzHsBV7id6oPcWUAMzzZTp2DHcGK+LINgzyGn8zzOrIwJjX/jKwvdL FGrDYk5rjs6ZvvfBD6xMX5ffefwuVboXG2lrCFkP5sGIA0FxFn0A0zQQD1Hia9Wk vJa86TEdI4A= =1IuP -----END PGP SIGNATURE----- --Sig_/hM0Ry/T+zcKEwzFOA.wF.NF-- From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 28 12:39:34 2012 Received: (at 11100) by debbugs.gnu.org; 28 Mar 2012 16:39:34 +0000 Received: from localhost ([127.0.0.1]:43504 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCvuG-0004Lc-M4 for submit@debbugs.gnu.org; Wed, 28 Mar 2012 12:39:34 -0400 Received: from mx.meyering.net ([88.168.87.75]:37727) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCvtz-0004LF-P5 for 11100@debbugs.gnu.org; Wed, 28 Mar 2012 12:39:31 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 4A90360064; Wed, 28 Mar 2012 18:07:51 +0200 (CEST) From: Jim Meyering To: NeilBrown Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <20120328081905.4b83d593@notabene.brown> (NeilBrown's message of "Wed, 28 Mar 2012 08:19:05 +1100") References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> Date: Wed, 28 Mar 2012 18:07:51 +0200 Message-ID: <87iphou2so.fsf@rho.meyering.net> Lines: 88 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) NeilBrown wrote: > On Tue, 27 Mar 2012 15:40:25 +0200 Jim Meyering wrote: > >> Philipp Thomas wrote: >> > I'd like to pass on observations from my collegue Neil Brown: >> > >> > in src/copy.c, copy_reg() is passed "bool *new_dst". >> > >> > This is 'false' if the file already exists, in which case it attempts to >> > open the file with O_WRONLY | O_TRUNC | O_BINARY. >> > If it is 'true', only then does it use O_CREAT (and others). >> > >> > Somewhere up the call chain - I'm not sure where - new_dst is set if 'stat' >> > on the file succeeds. The above mentioned code assumes that the file still >> > exists. This is racy - particularly for NFS where deletions from other >> > clients can take a while to appear. >> >> Thanks for the report. >> However, much of what cp does is mandated by the POSIX spec, including >> that inevitable-looking (POSIX-mandated) TOCTOU race. Here's part of that >> spec, from http://pubs.opengroup.org/onlinepubs/9699919799/utilities/cp.html: ... >> If you can find a way to make cp work sensibly in your specific case, >> yet without impacting any other use case, please let us know. > > The above doesn't specify how you determine if the dest file exists. > You could do this with stat plus open(O_WRONLY). > Only try the open on REG files. It seems that any change here would be working around the non-POSIX nature of NFS: note that POSIX seems clear[*] that stat must tell us whether a file exists (barring "additional or alternate file access control mechanisms" which aren't an issue here). I.e., this is an RFE: avoid NFS races due to inherent POSIX-non-compliance of NFS, rather than a bug. > if ((use_stat > - ? stat (dst_name, &dst_sb) > + ? (stat (dst_name, &dst_sb) < 0 ? -1 : > + (fd = open (dst_name, O_WRONLY)) < 0 ? -1 : 0) > : lstat (dst_name, &dst_sb)) > != 0) At first glance, that might be reasonable: the additional open is incurred only after a failed stat. I'll look more closely in a week or two if no one else investigates. One thing that would help a lot is a test case (even using gdb, strace, stap, inotify, fuse, etc.) that consistently triggers the failure without the need for an NFS set-up. > If the stat fails, or the open fails with ENOENT, then the file doesn't > exist, otherwise assume it does. > Keep the file descriptor around (if there is one) and then the "actions > equivalent to open() ..." would be > if (fd < 0) > fd = open(pathname, O_WRONLY | O_TRUNC); > else > ftruncate(fd, 0); > > > I started making a patch - but it got messy quickly. Too many conditional > calls to close(). > And at over 1000 lines, copy_internal was too big for me to work with :-( [*] excerpt from a possibly dated spec: The stat() function shall obtain information about the named file and write it to the area pointed to by the buf argument. The path argument points to a pathname naming a file. Read, write, or execute permission of the named file is not required. An implementation that provides additional or alternate file access control mechanisms may, under implementation-defined conditions, cause stat() to fail. In particular, the system may deny the existence of the file specified by path. If the named file is a symbolic link, the stat() function shall continue pathname resolution using the contents of the symbolic link, and shall return information pertaining to the resulting file if the file exists. The buf argument is a pointer to a stat structure, as defined in the header, into which information is placed concerning the file. The stat() function shall update any time-related fields (as described in XBD Section 4.8, on page 109), before writing into the stat structure. If the named file is a shared memory object, ... If the named file is a typed memory object, ... From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 28 14:58:30 2012 Received: (at 11100) by debbugs.gnu.org; 28 Mar 2012 18:58:30 +0000 Received: from localhost ([127.0.0.1]:43649 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCy4j-0007ix-J3 for submit@debbugs.gnu.org; Wed, 28 Mar 2012 14:58:30 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:53445) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCy4B-0007i3-LQ for 11100@debbugs.gnu.org; Wed, 28 Mar 2012 14:58:28 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id C2C2039E800F; Wed, 28 Mar 2012 11:26:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wu02g8MW6-qs; Wed, 28 Mar 2012 11:26:32 -0700 (PDT) Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 4B85D39E800A; Wed, 28 Mar 2012 11:26:32 -0700 (PDT) Message-ID: <4F7357D8.3000402@cs.ucla.edu> Date: Wed, 28 Mar 2012 11:26:32 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120209 Thunderbird/10.0.1 MIME-Version: 1.0 To: Jim Meyering Subject: Re: bug#11100: Racy code in copy.c References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> In-Reply-To: <87iphou2so.fsf@rho.meyering.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: NeilBrown , Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) On 03/28/2012 09:07 AM, Jim Meyering wrote: >> if ((use_stat >> > - ? stat (dst_name, &dst_sb) >> > + ? (stat (dst_name, &dst_sb) < 0 ? -1 : >> > + (fd = open (dst_name, O_WRONLY)) < 0 ? -1 : 0) >> > : lstat (dst_name, &dst_sb)) >> > != 0) > At first glance, that might be reasonable: the additional open > is incurred only after a failed stat. > I'll look more closely in a week or two if no one else investigates. Come to think of it, wouldn't it be more efficient to do an open (dst_name, O_WRONLY | O_BINARY), and then fstat the resulting fd, falling back on 'stat' only if the open fails with errno == EACCES? That should be more efficient in the usual case, since it'd resolve the file name fewer times in the usual case. From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 28 19:35:44 2012 Received: (at 11100) by debbugs.gnu.org; 28 Mar 2012 23:35:44 +0000 Received: from localhost ([127.0.0.1]:43800 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SD2Oy-0005yD-7z for submit@debbugs.gnu.org; Wed, 28 Mar 2012 19:35:44 -0400 Received: from cantor2.suse.de ([195.135.220.15]:56982 helo=mx2.suse.de) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SD2OP-0005xQ-3K for 11100@debbugs.gnu.org; Wed, 28 Mar 2012 19:35:38 -0400 Received: from relay1.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id 589128891E; Thu, 29 Mar 2012 01:03:40 +0200 (CEST) Date: Thu, 29 Mar 2012 10:03:27 +1100 From: NeilBrown To: Jim Meyering Subject: Re: bug#11100: Racy code in copy.c Message-ID: <20120329100327.46aed592@notabene.brown> In-Reply-To: <87iphou2so.fsf@rho.meyering.net> References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.7; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_//Cq27km549ka437vIsPpW4t"; protocol="application/pgp-signature" X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) --Sig_//Cq27km549ka437vIsPpW4t Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 28 Mar 2012 18:07:51 +0200 Jim Meyering wrote: > NeilBrown wrote: > > On Tue, 27 Mar 2012 15:40:25 +0200 Jim Meyering wrot= e: > > > >> Philipp Thomas wrote: > >> > I'd like to pass on observations from my collegue Neil Brown: > >> > > >> > in src/copy.c, copy_reg() is passed "bool *new_dst". > >> > > >> > This is 'false' if the file already exists, in which case it attempt= s to > >> > open the file with O_WRONLY | O_TRUNC | O_BINARY. > >> > If it is 'true', only then does it use O_CREAT (and others). > >> > > >> > Somewhere up the call chain - I'm not sure where - new_dst is set if= 'stat' > >> > on the file succeeds. The above mentioned code assumes that the fil= e still > >> > exists. This is racy - particularly for NFS where deletions from ot= her > >> > clients can take a while to appear. > >> > >> Thanks for the report. > >> However, much of what cp does is mandated by the POSIX spec, including > >> that inevitable-looking (POSIX-mandated) TOCTOU race. Here's part of = that > >> spec, from http://pubs.opengroup.org/onlinepubs/9699919799/utilities/c= p.html: > ... > >> If you can find a way to make cp work sensibly in your specific case, > >> yet without impacting any other use case, please let us know. > > > > The above doesn't specify how you determine if the dest file exists. > > You could do this with stat plus open(O_WRONLY). > > Only try the open on REG files. >=20 > It seems that any change here would be working around the non-POSIX > nature of NFS: note that POSIX seems clear[*] that stat must tell us > whether a file exists (barring "additional or alternate file access > control mechanisms" which aren't an issue here). stat() cannot tell whether a file "exists" - only whether it "existed" very recently. open() can ensure that the file still exists - though there is no guarantee that the name still exists... >=20 > I.e., this is an RFE: avoid NFS races due to inherent > POSIX-non-compliance of NFS, rather than a bug. Maybe ..... Suppose a 'cp' and an 'rm' are racing. i.e you cp to 'foo' at much the same time that someone else does 'rm foo'. What results are valid? Certain it is valid for both to succeed and 'foo' not to exist if 'rm foo' happened last. Similarly it is valid for both to succeed and foo to be a newly created file if 'cp' happened last. But is it valid for 'rm' to succeed and 'cp' to report that it couldn't create the target because "no such file or directory" ? I would suggest not, though I doubt the spec is at all clear on this. However that is what the current code allows. NFS doesn't exactly introduce new behaviour, it just makes a particular race condition much easier to hit. So I'll not press that it is a "bug" in cp, but I would suggest that it is = an opportunity to improve behaviour in a corner-case. >=20 > > if ((use_stat > > - ? stat (dst_name, &dst_sb) > > + ? (stat (dst_name, &dst_sb) < 0 ? -1 : > > + (fd =3D open (dst_name, O_WRONLY)) < 0 ? -1 : 0) > > : lstat (dst_name, &dst_sb)) > > !=3D 0) >=20 > At first glance, that might be reasonable: the additional open > is incurred only after a failed stat. This isn't what the proposed code does. The open is incurred after a *successful* stat (though it should only be tried if stat reported S_IFREG). And it is not intended as an 'additional' open. Rather the open that we would expect anyway is being performed earlier to avoid a race condition. > I'll look more closely in a week or two if no one else investigates. >=20 > One thing that would help a lot is a test case (even using gdb, strace, > stap, inotify, fuse, etc.) that consistently triggers the failure without > the need for an NFS set-up. gdb cp run cp foo # this succeeds ofcourse - 'foo' is a copy of 'cp' break copy.c:1679 # this is 'have_dst_lstat =3D !use_stat;' shell rm foo c Result: /home/git/coreutils/src/cp: cannot create regular file 'foo': No such file = or directory With NFS, the 'rm' happens on a different machine and due to the caching protocol of NFS the unlink is not visible to the 'stat', but it is to the subsequent 'open' - it is as though it happened between those two calls. NeilBrown --Sig_//Cq27km549ka437vIsPpW4t Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iQIVAwUBT3OYwDnsnt1WYoG5AQKMKA//bouWfvsDHIIEvB8t8/hq9lx6f8OfaLUW JErnVkQT/751iaDynpv2U5y+o7KPwVe4tnEJ5un445COWKNJxQDDLaPl9Cl8KQDq ISPEz0JRPO2VLfxyv9IyxHNwPFnWXqtVk8VDJ2xhxC9Ka6FLOKKbjg3Jew2osyCW Ufp/6+u7lrgtPUhdCeI409GvQAK6Tu+YzBdLUXiT8ny1ihCTdfyPsavpu/wEk7Iu C1QhLACWIGlQujBgiOb97E3GRCNZqZt1loSlIgYWxt3IP3VI6H9Ftc2gDzMEiTKe GyIFdjnd5NOqmWTXuG+0iVVi7af8mNwWopRm9bSbi4ozCAILrQFCaU3LkRZpG6hn tlx2hXJgCgyjoKjTNOoN+hQTEH/F2X38jmy4pK7MpU9lw34hXy+2fZGWYWe486N9 x/wRtYs+U5SR0j8Rh9uolbaa1zt7Bn6f0bbwn0vHtFUK6HZcOrjLED+a8LMkVG6M fqDKkz74s9+kUyTVXjRUddjDB0wtpslHvYK5cDog9A57Z4zMZ4xhiaB11ZMDhpJm dR6mfIg9SZqsmanEZAHg0Qq5vv9O2lClkuv5Wb9hR4Ur968A7xedyVOkvrWaEWAJ 3YqUpHcBv5vgVuB5DiEq+ZaE5UDn/SNkQYFVfB0L3XHmzXCGZDAVy5xnKkzSnIwS Q4hE8QI8UgM= =JzRX -----END PGP SIGNATURE----- --Sig_//Cq27km549ka437vIsPpW4t-- From debbugs-submit-bounces@debbugs.gnu.org Fri May 04 09:22:57 2012 Received: (at 11100) by debbugs.gnu.org; 4 May 2012 13:22:58 +0000 Received: from localhost ([127.0.0.1]:35934 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQITI-0000dD-2G for submit@debbugs.gnu.org; Fri, 04 May 2012 09:22:56 -0400 Received: from cantor2.suse.de ([195.135.220.15]:35118 helo=mx2.suse.de) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQITB-0000cn-If for 11100@debbugs.gnu.org; Fri, 04 May 2012 09:22:51 -0400 Received: from relay2.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id E40388C061 for <11100@debbugs.gnu.org>; Fri, 4 May 2012 15:20:59 +0200 (CEST) Date: Fri, 4 May 2012 15:20:59 +0200 From: Philipp Thomas To: 11100@debbugs.gnu.org Subject: Re: bug#11100: Racy code in copy.c Message-ID: <20120504132059.GC7158@paradies.suse.de> References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87iphou2so.fsf@rho.meyering.net> X-Operating-System: openSUSE - Kernel Linux 3.3.0-2-desktop x86_64 Organization: SUSE LINUX Products GmbH, =?iso-8859-1?Q?G?= =?iso-8859-1?Q?F=3A_Jeff_Hawn=2C_Jennifer_Guild=2C_Felix_Imend=F6rffer=2C?= =?iso-8859-1?Q?_HRB_21284_=28AG_N=FCrnberg=29?= User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Score: -6.9 (------) X-Debbugs-Envelope-To: 11100 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) * Jim Meyering (jim@meyering.net) [20120328 18:09]: > At first glance, that might be reasonable: the additional open > is incurred only after a failed stat. > I'll look more closely in a week or two if no one else investigates. Ping, it's been more than two weeks and I'm being bugged for a possible solution and will refrain from making changes that aren't accepted upstream. Philipp From debbugs-submit-bounces@debbugs.gnu.org Fri May 04 10:49:41 2012 Received: (at 11100) by debbugs.gnu.org; 4 May 2012 14:49:41 +0000 Received: from localhost ([127.0.0.1]:36176 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQJpF-0002fJ-Bm for submit@debbugs.gnu.org; Fri, 04 May 2012 10:49:41 -0400 Received: from mx.meyering.net ([88.168.87.75]:35476) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQJpB-0002f9-VZ for 11100@debbugs.gnu.org; Fri, 04 May 2012 10:49:39 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 0057C6004B; Fri, 4 May 2012 16:47:51 +0200 (CEST) From: Jim Meyering To: Philipp Thomas Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <20120504132059.GC7158@paradies.suse.de> (Philipp Thomas's message of "Fri, 4 May 2012 15:20:59 +0200") References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> Date: Fri, 04 May 2012 16:47:51 +0200 Message-ID: <87aa1om294.fsf@rho.meyering.net> Lines: 69 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Philipp Thomas wrote: > * Jim Meyering (jim@meyering.net) [20120328 18:09]: > >> At first glance, that might be reasonable: the additional open >> is incurred only after a failed stat. >> I'll look more closely in a week or two if no one else investigates. > > Ping, it's been more than two weeks and I'm being bugged for a possible > solution and will refrain from making changes that aren't accepted upstream. Thanks for the reminder. I did investigate it back then, but didn't make any progress. Today I looked again and saw the light ;-) Here's a partial patch. Still to come: a NEWS addition and a test case. >From b85446f612846ec9c99fe3e13dd78e861428ddde Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Fri, 4 May 2012 16:42:31 +0200 Subject: [PATCH] cp: handle a race condition more sensibly * src/copy.c (copy_reg): In a narrow race (stat sees dest, yet open-without-O_CREAT fails with ENOENT), retry the open with O_CREAT. Reported by Philipp Thomas and Neil F. Brown in http://debbugs.gnu.org/11100 --- src/copy.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/copy.c b/src/copy.c index 844ebcd..2558fea 100644 --- a/src/copy.c +++ b/src/copy.c @@ -892,6 +892,8 @@ copy_reg (char const *src_name, char const *dst_name, if (*new_dst) { + open_with_O_CREAT:; + int open_flags = O_WRONLY | O_CREAT | O_BINARY; dest_desc = open (dst_name, open_flags | O_EXCL, dst_mode & ~omitted_permissions); @@ -942,6 +944,23 @@ copy_reg (char const *src_name, char const *dst_name, if (dest_desc < 0) { + /* If we've just failed due to ENOENT for an ostensibly preexisting + destination (*new_dst was 0), that's a bit of a contradiction/race: + the prior stat/lstat said the file existed (*new_dst was 0), yet + the subsequent open-existing-file failed with ENOENT. With NFS, + the race window is wider still, since its meta-data caching tends + to make the stat succeed for a just-removed remote file, while the + more-definitive initial open call will fail with ENOENT. When this + situation arises, we attempt to open again, but this time with + O_CREAT. Do this only when not in move-mode, since when handling + a cross-device move, we must never open an existing destination. */ + if (dest_errno == ENOENT && ! *new_dst && ! x->move_mode) + { + *new_dst = 1; + goto open_with_O_CREAT; + } + + /* Otherwise, it's an error. */ error (0, dest_errno, _("cannot create regular file %s"), quote (dst_name)); return_val = false; -- 1.7.10.1.456.g16798d0 From debbugs-submit-bounces@debbugs.gnu.org Fri May 04 10:56:01 2012 Received: (at 11100) by debbugs.gnu.org; 4 May 2012 14:56:01 +0000 Received: from localhost ([127.0.0.1]:36186 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQJvN-0002oZ-BV for submit@debbugs.gnu.org; Fri, 04 May 2012 10:56:01 -0400 Received: from mx1.redhat.com ([209.132.183.28]:13969) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQJvJ-0002oE-Dr for 11100@debbugs.gnu.org; Fri, 04 May 2012 10:56:00 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q44Es6H0024338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 May 2012 10:54:07 -0400 Received: from [10.3.113.34] (ovpn-113-34.phx2.redhat.com [10.3.113.34]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q44Es6EL028436; Fri, 4 May 2012 10:54:06 -0400 Message-ID: <4FA3ED8D.7030305@redhat.com> Date: Fri, 04 May 2012 08:54:05 -0600 From: Eric Blake Organization: Red Hat User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120424 Thunderbird/12.0 MIME-Version: 1.0 To: Jim Meyering Subject: Re: bug#11100: Racy code in copy.c References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> In-Reply-To: <87aa1om294.fsf@rho.meyering.net> X-Enigmail-Version: 1.4.1 OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig729C9A603B351C8E930BEC04" X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-Spam-Score: -6.9 (------) X-Debbugs-Envelope-To: 11100 Cc: Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig729C9A603B351C8E930BEC04 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 05/04/2012 08:47 AM, Jim Meyering wrote: >=20 > * src/copy.c (copy_reg): In a narrow race (stat sees dest, yet > open-without-O_CREAT fails with ENOENT), retry the open with O_CREAT. > Reported by Philipp Thomas and Neil F. Brown in > http://debbugs.gnu.org/11100 Question - when we retry with adding O_CREAT, should we also add O_EXCL? That is, we already lost the race once, but the O_EXCL will ensure that we don't lose the race a second time and that we really are creating a fi= le. --=20 Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --------------enig729C9A603B351C8E930BEC04 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPo+2NAAoJEKeha0olJ0Nq6okIAJ2/ZVaAtdJFbupYLPqRxyns IjmfO1EOogf8ExHrhfaYsGAIzPN6nAdo9UvZr0QEC606L+xQ7qhHCE0GFG/ygUGu bwad1Ya8zdgh/f1pOzLzkhOIMoshLQ78PsS3xQAAgxgtQmrgO6gb/pGKCegwrL4N sLaA9hwLLxxTQTwgGX1B6isQwi+kfEGj71U043NEVCBEE0HhwwqRa5G+GZYvsN6F +RbesyRBwg2GpHTN/zTF9TbdcIFCpDOgbMFaMKCbrsJWdIA9KzjABxixaCMqeVz4 na7flsq/uQ9NO/1+GCAbhVE8KlupJkIa68i5L26QolNXoqZwUu7Qi7IkK6+iPaM= =4QK2 -----END PGP SIGNATURE----- --------------enig729C9A603B351C8E930BEC04-- From debbugs-submit-bounces@debbugs.gnu.org Fri May 04 11:00:44 2012 Received: (at 11100) by debbugs.gnu.org; 4 May 2012 15:00:44 +0000 Received: from localhost ([127.0.0.1]:36196 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQJzv-0002wi-7N for submit@debbugs.gnu.org; Fri, 04 May 2012 11:00:44 -0400 Received: from mx.meyering.net ([88.168.87.75]:35507) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQJzs-0002wY-FT for 11100@debbugs.gnu.org; Fri, 04 May 2012 11:00:41 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id F093A60224; Fri, 4 May 2012 16:58:53 +0200 (CEST) From: Jim Meyering To: Eric Blake Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <4FA3ED8D.7030305@redhat.com> (Eric Blake's message of "Fri, 04 May 2012 08:54:05 -0600") References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> <4FA3ED8D.7030305@redhat.com> Date: Fri, 04 May 2012 16:58:53 +0200 Message-ID: <874nrwm1qq.fsf@rho.meyering.net> Lines: 23 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Eric Blake wrote: > On 05/04/2012 08:47 AM, Jim Meyering wrote: >> >> * src/copy.c (copy_reg): In a narrow race (stat sees dest, yet >> open-without-O_CREAT fails with ENOENT), retry the open with O_CREAT. >> Reported by Philipp Thomas and Neil F. Brown in >> http://debbugs.gnu.org/11100 > > Question - when we retry with adding O_CREAT, should we also add O_EXCL? > That is, we already lost the race once, but the O_EXCL will ensure that > we don't lose the race a second time and that we really are creating a file. I was concerned about that, too, but noted it's already always done in the O_CREAT/*new_dst path: if (*new_dst) { open_with_O_CREAT:; int open_flags = O_WRONLY | O_CREAT | O_BINARY; dest_desc = open (dst_name, open_flags | O_EXCL, dst_mode & ~omitted_permissions); From debbugs-submit-bounces@debbugs.gnu.org Fri May 04 11:01:40 2012 Received: (at 11100) by debbugs.gnu.org; 4 May 2012 15:01:40 +0000 Received: from localhost ([127.0.0.1]:36200 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQK0p-0002yG-Cg for submit@debbugs.gnu.org; Fri, 04 May 2012 11:01:39 -0400 Received: from mx.meyering.net ([88.168.87.75]:35513) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQK0n-0002y9-AJ for 11100@debbugs.gnu.org; Fri, 04 May 2012 11:01:38 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 0FF8760335; Fri, 4 May 2012 16:59:52 +0200 (CEST) From: Jim Meyering To: Eric Blake Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <4FA3ED8D.7030305@redhat.com> (Eric Blake's message of "Fri, 04 May 2012 08:54:05 -0600") References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> <4FA3ED8D.7030305@redhat.com> Date: Fri, 04 May 2012 16:59:51 +0200 Message-ID: <87y5p8kn4o.fsf@rho.meyering.net> Lines: 13 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Eric Blake wrote: > On 05/04/2012 08:47 AM, Jim Meyering wrote: >> >> * src/copy.c (copy_reg): In a narrow race (stat sees dest, yet >> open-without-O_CREAT fails with ENOENT), retry the open with O_CREAT. >> Reported by Philipp Thomas and Neil F. Brown in >> http://debbugs.gnu.org/11100 > > Question - when we retry with adding O_CREAT, should we also add O_EXCL? > That is, we already lost the race once, but the O_EXCL will ensure that > we don't lose the race a second time and that we really are creating a file. And thanks for looking. From debbugs-submit-bounces@debbugs.gnu.org Fri May 04 11:31:02 2012 Received: (at 11100) by debbugs.gnu.org; 4 May 2012 15:31:02 +0000 Received: from localhost ([127.0.0.1]:36229 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQKTG-0003ea-Md for submit@debbugs.gnu.org; Fri, 04 May 2012 11:31:02 -0400 Received: from cantor2.suse.de ([195.135.220.15]:41183 helo=mx2.suse.de) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQKTE-0003e6-Ko for 11100@debbugs.gnu.org; Fri, 04 May 2012 11:31:01 -0400 Received: from relay2.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id 813768FA98; Fri, 4 May 2012 17:29:10 +0200 (CEST) Date: Fri, 4 May 2012 17:29:10 +0200 From: Philipp Thomas To: Jim Meyering Subject: Re: bug#11100: Racy code in copy.c Message-ID: <20120504152910.GF7158@paradies.suse.de> References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87aa1om294.fsf@rho.meyering.net> X-Operating-System: openSUSE - Kernel Linux 3.3.0-2-desktop x86_64 Organization: SUSE LINUX Products GmbH, =?iso-8859-1?Q?G?= =?iso-8859-1?Q?F=3A_Jeff_Hawn=2C_Jennifer_Guild=2C_Felix_Imend=F6rffer=2C?= =?iso-8859-1?Q?_HRB_21284_=28AG_N=FCrnberg=29?= User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Score: -6.9 (------) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) * Jim Meyering (jim@meyering.net) [20120504 16:47]: > Here's a partial patch. Marvellous! That's exactly the thing I needed to finish my working week! Thanks a bunch for your work. have a nice weekend Philipp From debbugs-submit-bounces@debbugs.gnu.org Fri May 04 11:32:38 2012 Received: (at 11100) by debbugs.gnu.org; 4 May 2012 15:32:38 +0000 Received: from localhost ([127.0.0.1]:36234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQKUn-0003gg-VF for submit@debbugs.gnu.org; Fri, 04 May 2012 11:32:38 -0400 Received: from mx.meyering.net ([88.168.87.75]:35598) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQKUl-0003gY-Jb for 11100@debbugs.gnu.org; Fri, 04 May 2012 11:32:36 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 8045D600B3; Fri, 4 May 2012 17:30:49 +0200 (CEST) From: Jim Meyering To: Philipp Thomas Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <20120504152910.GF7158@paradies.suse.de> (Philipp Thomas's message of "Fri, 4 May 2012 17:29:10 +0200") References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> <20120504152910.GF7158@paradies.suse.de> Date: Fri, 04 May 2012 17:30:49 +0200 Message-ID: <87mx5oklp2.fsf@rho.meyering.net> Lines: 13 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Philipp Thomas wrote: > * Jim Meyering (jim@meyering.net) [20120504 16:47]: > >> Here's a partial patch. > > Marvellous! That's exactly the thing I needed to finish my working week! > Thanks a bunch for your work. > > have a nice weekend Thanks. You too. If there's a bugzilla reference for this, let me know and I'll add it to the commit log. From debbugs-submit-bounces@debbugs.gnu.org Sun May 06 05:41:06 2012 Received: (at 11100) by debbugs.gnu.org; 6 May 2012 09:41:06 +0000 Received: from localhost ([127.0.0.1]:37811 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQxxh-00024f-9G for submit@debbugs.gnu.org; Sun, 06 May 2012 05:41:06 -0400 Received: from mx.meyering.net ([88.168.87.75]:41858) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQxxZ-00024B-UC for 11100@debbugs.gnu.org; Sun, 06 May 2012 05:41:03 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 9394C600B3; Sun, 6 May 2012 11:39:01 +0200 (CEST) From: Jim Meyering To: Philipp Thomas Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <87aa1om294.fsf@rho.meyering.net> (Jim Meyering's message of "Fri, 04 May 2012 16:47:51 +0200") References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> Date: Sun, 06 May 2012 11:39:01 +0200 Message-ID: <87y5p5hcne.fsf@rho.meyering.net> Lines: 210 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Jim Meyering wrote: > Philipp Thomas wrote: >> * Jim Meyering (jim@meyering.net) [20120328 18:09]: >> >>> At first glance, that might be reasonable: the additional open >>> is incurred only after a failed stat. >>> I'll look more closely in a week or two if no one else investigates. >> >> Ping, it's been more than two weeks and I'm being bugged for a possible >> solution and will refrain from making changes that aren't accepted upstream. > > Thanks for the reminder. > I did investigate it back then, but didn't make any progress. > Today I looked again and saw the light ;-) > > Here's a partial patch. > Still to come: a NEWS addition and a test case. Here's that same patch, along with a glibc-specific LD_PRELOAD-based test and a NEWS entry. >From d8a631cb1a08ee73bde061d36b068585358ff6fe Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Fri, 4 May 2012 16:42:31 +0200 Subject: [PATCH 1/2] cp: handle a race condition more sensibly * src/copy.c (copy_reg): In a narrow race (stat sees dest, yet open-without-O_CREAT fails with ENOENT), retry the open with O_CREAT. Reported by Philipp Thomas and Neil F. Brown in http://bugs.gnu.org/11100 --- THANKS.in | 1 + src/copy.c | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/THANKS.in b/THANKS.in index a7403fd..d8f7a4b 100644 --- a/THANKS.in +++ b/THANKS.in @@ -489,6 +489,7 @@ Phil Richards phil.richards@vf.vodafone.co.uk Philippe De Muyter phdm@macqel.be Philippe Schnoebelen Philippe.Schnoebelen@imag.fr Phillip Jones mouse@datastacks.com +Philipp Thomas pth@suse.de Piergiorgio Sartor sartor@sony.de Pieter Bowman bowman@math.utah.edu Piotr Gackiewicz gacek@intertele.pl diff --git a/src/copy.c b/src/copy.c index 844ebcd..2558fea 100644 --- a/src/copy.c +++ b/src/copy.c @@ -892,6 +892,8 @@ copy_reg (char const *src_name, char const *dst_name, if (*new_dst) { + open_with_O_CREAT:; + int open_flags = O_WRONLY | O_CREAT | O_BINARY; dest_desc = open (dst_name, open_flags | O_EXCL, dst_mode & ~omitted_permissions); @@ -942,6 +944,23 @@ copy_reg (char const *src_name, char const *dst_name, if (dest_desc < 0) { + /* If we've just failed due to ENOENT for an ostensibly preexisting + destination (*new_dst was 0), that's a bit of a contradiction/race: + the prior stat/lstat said the file existed (*new_dst was 0), yet + the subsequent open-existing-file failed with ENOENT. With NFS, + the race window is wider still, since its meta-data caching tends + to make the stat succeed for a just-removed remote file, while the + more-definitive initial open call will fail with ENOENT. When this + situation arises, we attempt to open again, but this time with + O_CREAT. Do this only when not in move-mode, since when handling + a cross-device move, we must never open an existing destination. */ + if (dest_errno == ENOENT && ! *new_dst && ! x->move_mode) + { + *new_dst = 1; + goto open_with_O_CREAT; + } + + /* Otherwise, it's an error. */ error (0, dest_errno, _("cannot create regular file %s"), quote (dst_name)); return_val = false; -- 1.7.10.1.457.g8275905 >From 59bee5a6bfac96bba6684e740fdf35063b4461a8 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sat, 5 May 2012 21:58:13 +0200 Subject: [PATCH 2/2] tests: test for just-fixed cp change * tests/cp/nfs-removal-race: New file. * tests/Makefile.am (TESTS): Add it. * NEWS (Bug fixes): Mention it. --- NEWS | 6 ++++ tests/Makefile.am | 1 + tests/cp/nfs-removal-race | 70 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100755 tests/cp/nfs-removal-race diff --git a/NEWS b/NEWS index 1c00d96..5e32f79 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,12 @@ GNU coreutils NEWS -*- outline -*- changed, the new group ID would be listed, even though it is not yet effective. + cp S D is no longer subject to a race: if D were removed between the + initial stat and subsequent open-without-O_CREATE, cp would fail with + a confusing diagnostic saying that the destination, D, was not found. + Now, in this unusual case, it retries the open (but with O_CREATE), + and hence usually succeeds. + ** New features fmt now accepts the --goal=WIDTH (-g) option. diff --git a/tests/Makefile.am b/tests/Makefile.am index 72717e3..ca19051 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -349,6 +349,7 @@ TESTS = \ cp/link-no-deref \ cp/link-preserve \ cp/link-symlink \ + cp/nfs-removal-race \ cp/no-deref-link1 \ cp/no-deref-link2 \ cp/no-deref-link3 \ diff --git a/tests/cp/nfs-removal-race b/tests/cp/nfs-removal-race new file mode 100755 index 0000000..6a435b0 --- /dev/null +++ b/tests/cp/nfs-removal-race @@ -0,0 +1,70 @@ +#!/bin/sh +# Running cp S D on an NFS client while another client has just removed D +# would lead (w/coreutils-8.16 and earlier) to cp's initial stat call +# seeing (via stale NFS cache) that D exists, so that cp would then call +# open without the O_CREAT flag. Yet, the open must actually consult +# the server, which confesses that D has been deleted, thus causing the +# open call to fail with ENOENT. +# +# This test simulates that situation by intercepting stat for a nonexistent +# destination, D, and making the stat fill in the result struct for another +# file and return 0. +# +# This test is skipped on systems that lack LD_PRELOAD support; that's fine. +# Similarly, on a system that lacks or __xstat, skipping it is fine. + +# Copyright (C) 2012 Free Software Foundation, Inc. + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. "${srcdir=.}/init.sh"; path_prepend_ ../src +print_ver_ cp + +# Replace each stat call with a call to this wrapper. +cat > k.c <<'EOF' || framework_failure_ +#define _GNU_SOURCE +#include +#include + +#define __xstat __xstat_orig + +#include +#include + +#undef __xstat + +int +__xstat (int ver, const char *path, struct stat *st) +{ + static int (*real_stat)(int ver, const char *path, struct stat *st) = NULL; + if (!real_stat) + real_stat = dlsym (RTLD_NEXT, "__xstat"); + /* When asked to stat nonexistent "d", + return results suggesting it exists. */ + return real_stat (ver, *path == 'd' && path[1] == 0 ? "d2" : path, st); +} +EOF + +# Then compile/link it: +$CC -shared -fPIC -O2 k.c -o k.so \ + || framework_failure_ 'failed to compile with -shared -fPIC' + +touch d2 || framework_failure_ +echo xyz > src || framework_failure_ + +# Finally, run the test: +LD_PRELOAD=./k.so cp src d || fail=1 + +compare src d || fail=1 +Exit $fail -- 1.7.10.1.457.g8275905 From debbugs-submit-bounces@debbugs.gnu.org Sun May 06 06:42:16 2012 Received: (at 11100) by debbugs.gnu.org; 6 May 2012 10:42:16 +0000 Received: from localhost ([127.0.0.1]:37877 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQyuu-0003Zv-JU for submit@debbugs.gnu.org; Sun, 06 May 2012 06:42:16 -0400 Received: from mail3.vodafone.ie ([213.233.128.45]:55155) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SQyus-0003Zd-8w for 11100@debbugs.gnu.org; Sun, 06 May 2012 06:42:15 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApMBAMBTpk9daxca/2dsb2JhbAANNrV6BQEBBDIBRhALDRQWDwkDAgECAUUGDQEHAQGFRYIvugGRHwScFo0U Received: from unknown (HELO [192.168.1.79]) ([93.107.23.26]) by mail3.vodafone.ie with ESMTP; 06 May 2012 11:40:13 +0100 Message-ID: <4FA6550C.1080309@draigBrady.com> Date: Sun, 06 May 2012 11:40:12 +0100 From: =?ISO-8859-1?Q?P=E1draig_Brady?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110816 Thunderbird/6.0 MIME-Version: 1.0 To: Jim Meyering Subject: Re: bug#11100: Racy code in copy.c References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> <87y5p5hcne.fsf@rho.meyering.net> In-Reply-To: <87y5p5hcne.fsf@rho.meyering.net> X-Enigmail-Version: 1.3.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) I can't think of any issue with this. Code looks good. Test triggers the new condition. +1 cheers, Pádraig. From debbugs-submit-bounces@debbugs.gnu.org Sun May 06 08:08:22 2012 Received: (at 11100) by debbugs.gnu.org; 6 May 2012 12:08:22 +0000 Received: from localhost ([127.0.0.1]:37946 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SR0GD-0006Lt-GO for submit@debbugs.gnu.org; Sun, 06 May 2012 08:08:21 -0400 Received: from mx.meyering.net ([88.168.87.75]:42216) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SR0GA-0006Lk-LV for 11100@debbugs.gnu.org; Sun, 06 May 2012 08:08:20 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id ECAC4600B3; Sun, 6 May 2012 14:06:21 +0200 (CEST) From: Jim Meyering To: =?iso-8859-1?Q?P=E1draig?= Brady Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <4FA6550C.1080309@draigBrady.com> (=?iso-8859-1?Q?=22P=E1drai?= =?iso-8859-1?Q?g?= Brady"'s message of "Sun, 06 May 2012 11:40:12 +0100") References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> <87y5p5hcne.fsf@rho.meyering.net> <4FA6550C.1080309@draigBrady.com> Date: Sun, 06 May 2012 14:06:21 +0200 Message-ID: <87sjfdh5tu.fsf@rho.meyering.net> Lines: 19 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100 Cc: Philipp Thomas , 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) P=E1draig Brady wrote: > I can't think of any issue with this. > Code looks good. > Test triggers the new condition. Thanks for the review. I've squashed the test-adding commit onto the fix, added this sentence to NEWS: With NFS attribute caching, the condition was particularly easy to trigger, since there, the removal of D could precede the initial stat. I was about to push, then wondered... I'd been assuming that the Neil Brown already listed THANKS.in is the same as the Neil F. Brown at SuSE. We know that assuming is bad, so I checked linux's git log, which appears to confirm. So I have updated Neil's name (to add the F.) and email, too. From debbugs-submit-bounces@debbugs.gnu.org Mon May 07 07:38:56 2012 Received: (at 11100) by debbugs.gnu.org; 7 May 2012 11:38:57 +0000 Received: from localhost ([127.0.0.1]:39221 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SRMHI-0007Db-Bx for submit@debbugs.gnu.org; Mon, 07 May 2012 07:38:56 -0400 Received: from cantor2.suse.de ([195.135.220.15]:43110 helo=mx2.suse.de) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SRMHE-0007DL-JN for 11100@debbugs.gnu.org; Mon, 07 May 2012 07:38:54 -0400 Received: from relay1.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id 57B4E8FFEB; Mon, 7 May 2012 13:36:46 +0200 (CEST) Date: Mon, 7 May 2012 13:36:46 +0200 From: Philipp Thomas To: Jim Meyering Subject: Re: bug#11100: Racy code in copy.c Message-ID: <20120507113646.GA25209@paradies.suse.de> References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> <20120504152910.GF7158@paradies.suse.de> <87mx5oklp2.fsf@rho.meyering.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87mx5oklp2.fsf@rho.meyering.net> X-Operating-System: openSUSE - Kernel Linux 3.3.0-2-desktop x86_64 Organization: SUSE LINUX Products GmbH, =?iso-8859-1?Q?G?= =?iso-8859-1?Q?F=3A_Jeff_Hawn=2C_Jennifer_Guild=2C_Felix_Imend=F6rffer=2C?= =?iso-8859-1?Q?_HRB_21284_=28AG_N=FCrnberg=29?= User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Score: -6.9 (------) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.9 (------) * Jim Meyering (jim@meyering.net) [20120504 17:30]: > If there's a bugzilla reference for this, let me know > and I'll add it to the commit log. There is, but as it's a SLES bug it's only open for SUSE employees and customers and thus useless for a coreutils commit log. I'll instead reference the commit from said bug report. Philipp From debbugs-submit-bounces@debbugs.gnu.org Mon May 07 07:44:04 2012 Received: (at 11100-done) by debbugs.gnu.org; 7 May 2012 11:44:04 +0000 Received: from localhost ([127.0.0.1]:39236 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SRMMG-0007LH-2p for submit@debbugs.gnu.org; Mon, 07 May 2012 07:44:04 -0400 Received: from mx.meyering.net ([88.168.87.75]:45655) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SRMMC-0007Kj-77 for 11100-done@debbugs.gnu.org; Mon, 07 May 2012 07:44:01 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id DE0DE600B5; Mon, 7 May 2012 13:41:57 +0200 (CEST) From: Jim Meyering To: Philipp Thomas Subject: Re: bug#11100: Racy code in copy.c In-Reply-To: <20120507113646.GA25209@paradies.suse.de> (Philipp Thomas's message of "Mon, 7 May 2012 13:36:46 +0200") References: <20120327125817.GC12979@paradies.suse.de> <87fwcuw4ae.fsf@rho.meyering.net> <20120328081905.4b83d593@notabene.brown> <87iphou2so.fsf@rho.meyering.net> <20120504132059.GC7158@paradies.suse.de> <87aa1om294.fsf@rho.meyering.net> <20120504152910.GF7158@paradies.suse.de> <87mx5oklp2.fsf@rho.meyering.net> <20120507113646.GA25209@paradies.suse.de> Date: Mon, 07 May 2012 13:41:57 +0200 Message-ID: <87y5p4dxq2.fsf@rho.meyering.net> Lines: 11 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 11100-done Cc: 11100-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Philipp Thomas wrote: > * Jim Meyering (jim@meyering.net) [20120504 17:30]: > >> If there's a bugzilla reference for this, let me know >> and I'll add it to the commit log. > > There is, but as it's a SLES bug it's only open for SUSE employees and > customers and thus useless for a coreutils commit log. I'll instead > reference the commit from said bug report. Ok. I've pushed that change. From debbugs-submit-bounces@debbugs.gnu.org Tue May 08 05:15:57 2012 Received: (at control) by debbugs.gnu.org; 8 May 2012 09:15:57 +0000 Received: from localhost ([127.0.0.1]:40454 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SRgWT-0006TP-JK for submit@debbugs.gnu.org; Tue, 08 May 2012 05:15:57 -0400 Received: from mx.meyering.net ([88.168.87.75]:49143) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SRgWS-0006TI-5q for control@debbugs.gnu.org; Tue, 08 May 2012 05:15:56 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id C1C35603C7 for ; Tue, 8 May 2012 11:13:49 +0200 (CEST) From: Jim Meyering To: control@debbugs.gnu.org Subject: merging 11074 and 11100 Date: Tue, 08 May 2012 11:13:49 +0200 Message-ID: <8762c79gs2.fsf@rho.meyering.net> Lines: 5 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) forcemerge 11074 11100 thanks 11074 and 11100 are essentially equivalent, so now that 11100 is fixed, so is 11074. From unknown Fri Jun 20 07:11:56 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 05 Jun 2012 11:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 18 11:33:22 2021 Received: (at control) by debbugs.gnu.org; 18 Nov 2021 16:33:22 +0000 Received: from localhost ([127.0.0.1]:36999 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mnkLi-0008Tk-AW for submit@debbugs.gnu.org; Thu, 18 Nov 2021 11:33:22 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:55592) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mnkLg-0008TT-AH for control@debbugs.gnu.org; Thu, 18 Nov 2021 11:33:21 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 0E5FA1600D1 for ; Thu, 18 Nov 2021 08:33:14 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id I-yTH00cVT-V for ; Thu, 18 Nov 2021 08:33:13 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 70D211600ED for ; Thu, 18 Nov 2021 08:33:13 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id RN5b2OqQQVLM for ; Thu, 18 Nov 2021 08:33:13 -0800 (PST) Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com [172.91.119.151]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 511451600D1 for ; Thu, 18 Nov 2021 08:33:13 -0800 (PST) Message-ID: Date: Thu, 18 Nov 2021 08:33:12 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.1 Content-Language: en-US To: control@debbugs.gnu.org From: Paul Eggert Subject: 11100 needs more mail Organization: UCLA Computer Science Department Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) unarchive 11100 From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 18 11:38:51 2021 Received: (at 11100) by debbugs.gnu.org; 18 Nov 2021 16:38:51 +0000 Received: from localhost ([127.0.0.1]:37004 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mnkR0-0000Ce-T9 for submit@debbugs.gnu.org; Thu, 18 Nov 2021 11:38:51 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:56382) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mnkQy-0000CR-H6 for 11100@debbugs.gnu.org; Thu, 18 Nov 2021 11:38:49 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 0FD471600D1; Thu, 18 Nov 2021 08:38:43 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id ZmsaKv3yyedQ; Thu, 18 Nov 2021 08:38:41 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 6180D1600F6; Thu, 18 Nov 2021 08:38:41 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id CmyBP-DG4LVV; Thu, 18 Nov 2021 08:38:41 -0800 (PST) Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com [172.91.119.151]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 27FAD1600D1; Thu, 18 Nov 2021 08:38:41 -0800 (PST) Content-Type: multipart/mixed; boundary="------------wFbO0QKdLGcXdIuc2Pv8a2xF" Message-ID: <4c18d2eb-685b-fd99-42a2-d47525965fc6@cs.ucla.edu> Date: Thu, 18 Nov 2021 08:38:40 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.1 Content-Language: en-US To: Jim Meyering From: Paul Eggert Organization: UCLA Computer Science Department Subject: bug#11100: Racy code in copy.c X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org, Philipp Thomas , =?UTF-8?Q?P=c3=a1draig_Brady?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------wFbO0QKdLGcXdIuc2Pv8a2xF Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit I spotted a SELinux security-context race introduced by the circa-2012 fix for Bug#11100, and installed the attached patch into coreutils master. This also gets rid of a label and goto (which is what led me to find the issue). --------------wFbO0QKdLGcXdIuc2Pv8a2xF Content-Type: text/x-patch; charset=UTF-8; name="0001-cp-fix-security-context-race.patch" Content-Disposition: attachment; filename="0001-cp-fix-security-context-race.patch" Content-Transfer-Encoding: base64 RnJvbSBkMGYwMzVmYzY0ZmIzNDhjYjA5MmZiYjZhZTdlOGNlNzZiNGQ4MmRiIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBXZWQsIDE3IE5vdiAyMDIxIDEzOjIyOjA2IC0wODAwClN1YmplY3Q6IFtQQVRD SF0gY3A6IGZpeCBzZWN1cml0eSBjb250ZXh0IHJhY2UKTUlNRS1WZXJzaW9uOiAxLjAKQ29u dGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXIt RW5jb2Rpbmc6IDhiaXQKClRoaXMgZml4ZXMgYW4gaXNzdWUgaW50cm9kdWNlZCBpbiB0aGUg Zml4IGZvciBCdWcjMTExMDAuCiogTkVXUzogTWVudGlvbiB0aGlzLgoqIHNyYy9jb3B5LmMg KGNvcHlfcmVnKTogRml4IG9ic2N1cmUgYnVnIHdoZXJlIG9wZW4td2l0aG91dC1DUkVBVApm YWlsZWQgd2l0aCBFTk9FTlQgYW5kIHdlIGZvcmdldCB0byBjYWxsIHNldF9wcm9jZXNzX3Nl Y3VyaXR5X2N0eApiZWZvcmUgY2FsbGluZyBvcGVuLXdpdGgtQ1JFQVQuIEFsc28sIGRvbuKA mXQgYm90aGVyIHRvIHVubGluawpEU1RfTkFNRSBpZiBvcGVuIGZhaWxlZCB3aXRoIEVOT0VO VDsgYW5kIGlmIHVubGluayBmYWlscyB3aXRoCkVOT0VOVCwgZG9u4oCZdCBjb25zaWRlciB0 aGF0IHRvIGJlIGFuIGVycm9yIChzb21lb25lIGVsc2UgY291bGQKaGF2ZSByZW1vdmVkIHRo ZSBmaWxlIGZvciB1cywgYW5kIHRoYXTigJlzIE9LKS4gIEFsc28sIGRvbuKAmXQgd29ycnkK YWJvdXQgbW92ZSBtb2RlLCBzaW5jZSB3ZSB1c2UgT19FWENMfE9fQ1JFQVQgYW5kIHNvIHdv buKAmXQgb3BlbgphbiBleGlzdGluZyBmaWxlLgotLS0KIE5FV1MgICAgICAgfCAgNSArKysr Kwogc3JjL2NvcHkuYyB8IDUwICsrKysrKysrKysrKysrKysrKysrKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tCiAyIGZpbGVzIGNoYW5nZWQsIDI2IGluc2VydGlvbnMoKyksIDI5 IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL05FV1MgYi9ORVdTCmluZGV4IDMzODY1ZWI4 Yy4uNjM1MGFiYzNjIDEwMDY0NAotLS0gYS9ORVdTCisrKyBiL05FV1MKQEAgLTgsNiArOCwx MSBAQCBHTlUgY29yZXV0aWxzIE5FV1MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAtKi0gb3V0bGluZSAtKi0KICAgQWxsIGZpbGVzIHdvdWxkIGJlIHByb2Nlc3NlZCBj b3JyZWN0bHksIGJ1dCB0aGUgZXhpdCBzdGF0dXMgd2FzIGluY29ycmVjdC4KICAgW2J1ZyBp bnRyb2R1Y2VkIGluIGNvcmV1dGlscy05LjBdCiAKKyAgSWYgJ2NwIC1aIEEgQicgY2hlY2tz IEIncyBzdGF0dXMgYW5kIHNvbWUgb3RoZXIgcHJvY2VzcyB0aGVuIHJlbW92ZXMgQiwKKyAg Y3Agbm8gbG9uZ2VyIGNyZWF0ZXMgQiB3aXRoIGEgdG9vLWdlbmVyb3VzIFNFTGludXggc2Vj dXJpdHkgY29udGV4dAorICBiZWZvcmUgYWRqdXN0aW5nIGl0IHRvIHRoZSBjb3JyZWN0IHZh bHVlLgorICBbYnVnIGludHJvZHVjZWQgaW4gY29yZXV0aWxzLTguMTddCisKICAgT24gbWFj T1MsICdjcCBBIEInIG5vIGxvbmdlciBtaXNjb3BpZXMgd2hlbiBBIGlzIGluIGFuIEFQRlMg ZmlsZSBzeXN0ZW0KICAgYW5kIEIgaXMgaW4gc29tZSBvdGhlciBmaWxlIHN5c3RlbS4KICAg W2J1ZyBpbnRyb2R1Y2VkIGluIGNvcmV1dGlscy05LjBdCmRpZmYgLS1naXQgYS9zcmMvY29w eS5jIGIvc3JjL2NvcHkuYwppbmRleCA1MmUwYWVmYjcuLjE5NmM3ODEwNCAxMDA2NDQKLS0t IGEvc3JjL2NvcHkuYworKysgYi9zcmMvY29weS5jCkBAIC0xMTIwLDcgKzExMjAsOSBAQCBp bmZlcl9zY2FudHlwZSAoaW50IGZkLCBzdHJ1Y3Qgc3RhdCBjb25zdCAqc2IsCiAgICBPTUlU VEVEX1BFUk1JU1NJT05TIGFmdGVyIGNvcHlpbmcgYXMgbmVlZGVkLgogICAgWCBwcm92aWRl cyBtYW55IG9wdGlvbiBzZXR0aW5ncy4KICAgIFJldHVybiB0cnVlIGlmIHN1Y2Nlc3NmdWwu Ci0gICAqTkVXX0RTVCBpcyBhcyBpbiBjb3B5X2ludGVybmFsLgorICAgKk5FV19EU1QgaXMg aW5pdGlhbGx5IGFzIGluIGNvcHlfaW50ZXJuYWwuCisgICBJZiBzdWNjZXNzZnVsLCBzZXQg Kk5FV19EU1QgdG8gdHJ1ZSBpZiB0aGUgZGVzdGluYXRpb24gZmlsZSB3YXMgY3JlYXRlZCBh bmQKKyAgIHRvIGZhbHNlIG90aGVyd2lzZTsgaWYgdW5zdWNjZXNzZnVsLCBwZXJoYXBzIHNl dCAqTkVXX0RTVCB0byBzb21lIHZhbHVlLgogICAgU1JDX1NCIGlzIHRoZSByZXN1bHQgb2Yg Y2FsbGluZyBmb2xsb3dfZnN0YXRhdCBvbiBTUkNfTkFNRS4gICovCiAKIHN0YXRpYyBib29s CkBAIC0xMTg1LDggKzExODcsOCBAQCBjb3B5X3JlZyAoY2hhciBjb25zdCAqc3JjX25hbWUs IGNoYXIgY29uc3QgKmRzdF9uYW1lLAogICAgICAgICAgdGhlIGV4aXN0aW5nIGNvbnRleHQg YWNjb3JkaW5nIHRvIHRoZSBzeXN0ZW0gZGVmYXVsdCBmb3IgdGhlIGRlc3QuCiAgICAgICAg ICBOb3RlIHdlIHNldCB0aGUgY29udGV4dCBoZXJlLCBfYWZ0ZXJfIHRoZSBmaWxlIGlzIG9w ZW5lZCwgbGVzdCB0aGUKICAgICAgICAgIG5ldyBjb250ZXh0IGRpc2FsbG93IHRoYXQuICAq LwotICAgICAgaWYgKCh4LT5zZXRfc2VjdXJpdHlfY29udGV4dCB8fCB4LT5wcmVzZXJ2ZV9z ZWN1cml0eV9jb250ZXh0KQotICAgICAgICAgICYmIDAgPD0gZGVzdF9kZXNjKQorICAgICAg aWYgKDAgPD0gZGVzdF9kZXNjCisgICAgICAgICAgJiYgKHgtPnNldF9zZWN1cml0eV9jb250 ZXh0IHx8IHgtPnByZXNlcnZlX3NlY3VyaXR5X2NvbnRleHQpKQogICAgICAgICB7CiAgICAg ICAgICAgaWYgKCEgc2V0X2ZpbGVfc2VjdXJpdHlfY3R4IChkc3RfbmFtZSwgZmFsc2UsIHgp KQogICAgICAgICAgICAgewpAQCAtMTE5OCwzOCArMTIwMCw0NSBAQCBjb3B5X3JlZyAoY2hh ciBjb25zdCAqc3JjX25hbWUsIGNoYXIgY29uc3QgKmRzdF9uYW1lLAogICAgICAgICAgICAg fQogICAgICAgICB9CiAKLSAgICAgIGlmIChkZXN0X2Rlc2MgPCAwICYmIHgtPnVubGlua19k ZXN0X2FmdGVyX2ZhaWxlZF9vcGVuKQorICAgICAgaWYgKGRlc3RfZGVzYyA8IDAgJiYgZGVz dF9lcnJubyAhPSBFTk9FTlQKKyAgICAgICAgICAmJiB4LT51bmxpbmtfZGVzdF9hZnRlcl9m YWlsZWRfb3BlbikKICAgICAgICAgewotICAgICAgICAgIGlmICh1bmxpbmsgKGRzdF9uYW1l KSAhPSAwKQorICAgICAgICAgIGlmICh1bmxpbmsgKGRzdF9uYW1lKSA9PSAwKQorICAgICAg ICAgICAgeworICAgICAgICAgICAgICBpZiAoeC0+dmVyYm9zZSkKKyAgICAgICAgICAgICAg ICBwcmludGYgKF8oInJlbW92ZWQgJXNcbiIpLCBxdW90ZWFmIChkc3RfbmFtZSkpOworICAg ICAgICAgICAgfQorICAgICAgICAgIGVsc2UgaWYgKGVycm5vICE9IEVOT0VOVCkKICAgICAg ICAgICAgIHsKICAgICAgICAgICAgICAgZXJyb3IgKDAsIGVycm5vLCBfKCJjYW5ub3QgcmVt b3ZlICVzIiksIHF1b3RlYWYgKGRzdF9uYW1lKSk7CiAgICAgICAgICAgICAgIHJldHVybl92 YWwgPSBmYWxzZTsKICAgICAgICAgICAgICAgZ290byBjbG9zZV9zcmNfZGVzYzsKICAgICAg ICAgICAgIH0KLSAgICAgICAgICBpZiAoeC0+dmVyYm9zZSkKLSAgICAgICAgICAgIHByaW50 ZiAoXygicmVtb3ZlZCAlc1xuIiksIHF1b3RlYWYgKGRzdF9uYW1lKSk7CiAKLSAgICAgICAg ICAvKiBUZWxsIGNhbGxlciB0aGF0IHRoZSBkZXN0aW5hdGlvbiBmaWxlIHdhcyB1bmxpbmtl ZC4gICovCi0gICAgICAgICAgKm5ld19kc3QgPSB0cnVlOworICAgICAgICAgIGRlc3RfZXJy bm8gPSBFTk9FTlQ7CisgICAgICAgIH0KIAorICAgICAgaWYgKGRlc3RfZGVzYyA8IDAgJiYg ZGVzdF9lcnJubyA9PSBFTk9FTlQpCisgICAgICAgIHsKICAgICAgICAgICAvKiBFbnN1cmUg dGhlcmUgaXMgbm8gcmFjZSB3aGVyZSBhIGZpbGUgbWF5IGJlIGxlZnQgd2l0aG91dAogICAg ICAgICAgICAgIGFuIGFwcHJvcHJpYXRlIHNlY3VyaXR5IGNvbnRleHQuICAqLwogICAgICAg ICAgIGlmICh4LT5zZXRfc2VjdXJpdHlfY29udGV4dCkKICAgICAgICAgICAgIHsKICAgICAg ICAgICAgICAgaWYgKCEgc2V0X3Byb2Nlc3Nfc2VjdXJpdHlfY3R4IChzcmNfbmFtZSwgZHN0 X25hbWUsIGRzdF9tb2RlLAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICpuZXdfZHN0LCB4KSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICB0cnVlLCB4KSkKICAgICAgICAgICAgICAgICB7CiAgICAgICAg ICAgICAgICAgICByZXR1cm5fdmFsID0gZmFsc2U7CiAgICAgICAgICAgICAgICAgICBnb3Rv IGNsb3NlX3NyY19kZXNjOwogICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgIH0KKwor ICAgICAgICAgIC8qIFRlbGwgY2FsbGVyIHRoYXQgdGhlIGRlc3RpbmF0aW9uIGZpbGUgaXMg Y3JlYXRlZC4gICovCisgICAgICAgICAgKm5ld19kc3QgPSB0cnVlOwogICAgICAgICB9CiAg ICAgfQogCiAgIGlmICgqbmV3X2RzdCkKICAgICB7Ci0gICAgb3Blbl93aXRoX09fQ1JFQVQ6 OwotCiAgICAgICBpbnQgb3Blbl9mbGFncyA9IE9fV1JPTkxZIHwgT19DUkVBVCB8IE9fQklO QVJZOwogICAgICAgZGVzdF9kZXNjID0gb3BlbiAoZHN0X25hbWUsIG9wZW5fZmxhZ3MgfCBP X0VYQ0wsCiAgICAgICAgICAgICAgICAgICAgICAgICBkc3RfbW9kZSAmIH5vbWl0dGVkX3Bl cm1pc3Npb25zKTsKQEAgLTEyODAsMjMgKzEyODksNiBAQCBjb3B5X3JlZyAoY2hhciBjb25z dCAqc3JjX25hbWUsIGNoYXIgY29uc3QgKmRzdF9uYW1lLAogCiAgIGlmIChkZXN0X2Rlc2Mg PCAwKQogICAgIHsKLSAgICAgIC8qIElmIHdlJ3ZlIGp1c3QgZmFpbGVkIGR1ZSB0byBFTk9F TlQgZm9yIGFuIG9zdGVuc2libHkgcHJlZXhpc3RpbmcKLSAgICAgICAgIGRlc3RpbmF0aW9u ICgqbmV3X2RzdCB3YXMgMCksIHRoYXQncyBhIGJpdCBvZiBhIGNvbnRyYWRpY3Rpb24vcmFj ZToKLSAgICAgICAgIHRoZSBwcmlvciBzdGF0L2xzdGF0IHNhaWQgdGhlIGZpbGUgZXhpc3Rl ZCAoKm5ld19kc3Qgd2FzIDApLCB5ZXQKLSAgICAgICAgIHRoZSBzdWJzZXF1ZW50IG9wZW4t ZXhpc3RpbmctZmlsZSBmYWlsZWQgd2l0aCBFTk9FTlQuICBXaXRoIE5GUywKLSAgICAgICAg IHRoZSByYWNlIHdpbmRvdyBpcyB3aWRlciBzdGlsbCwgc2luY2UgaXRzIG1ldGEtZGF0YSBj YWNoaW5nIHRlbmRzCi0gICAgICAgICB0byBtYWtlIHRoZSBzdGF0IHN1Y2NlZWQgZm9yIGEg anVzdC1yZW1vdmVkIHJlbW90ZSBmaWxlLCB3aGlsZSB0aGUKLSAgICAgICAgIG1vcmUtZGVm aW5pdGl2ZSBpbml0aWFsIG9wZW4gY2FsbCB3aWxsIGZhaWwgd2l0aCBFTk9FTlQuICBXaGVu IHRoaXMKLSAgICAgICAgIHNpdHVhdGlvbiBhcmlzZXMsIHdlIGF0dGVtcHQgdG8gb3BlbiBh Z2FpbiwgYnV0IHRoaXMgdGltZSB3aXRoCi0gICAgICAgICBPX0NSRUFULiAgRG8gdGhpcyBv bmx5IHdoZW4gbm90IGluIG1vdmUtbW9kZSwgc2luY2Ugd2hlbiBoYW5kbGluZwotICAgICAg ICAgYSBjcm9zcy1kZXZpY2UgbW92ZSwgd2UgbXVzdCBuZXZlciBvcGVuIGFuIGV4aXN0aW5n IGRlc3RpbmF0aW9uLiAgKi8KLSAgICAgIGlmIChkZXN0X2Vycm5vID09IEVOT0VOVCAmJiAh ICpuZXdfZHN0ICYmICEgeC0+bW92ZV9tb2RlKQotICAgICAgICB7Ci0gICAgICAgICAgKm5l d19kc3QgPSAxOwotICAgICAgICAgIGdvdG8gb3Blbl93aXRoX09fQ1JFQVQ7Ci0gICAgICAg IH0KLQotICAgICAgLyogT3RoZXJ3aXNlLCBpdCdzIGFuIGVycm9yLiAgKi8KICAgICAgIGVy cm9yICgwLCBkZXN0X2Vycm5vLCBfKCJjYW5ub3QgY3JlYXRlIHJlZ3VsYXIgZmlsZSAlcyIp LAogICAgICAgICAgICAgIHF1b3RlYWYgKGRzdF9uYW1lKSk7CiAgICAgICByZXR1cm5fdmFs ID0gZmFsc2U7Ci0tIAoyLjMyLjAKCg== --------------wFbO0QKdLGcXdIuc2Pv8a2xF-- From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 18 23:09:28 2021 Received: (at 11100) by debbugs.gnu.org; 19 Nov 2021 04:09:28 +0000 Received: from localhost ([127.0.0.1]:37575 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mnvDM-0003i6-2N for submit@debbugs.gnu.org; Thu, 18 Nov 2021 23:09:28 -0500 Received: from mail-yb1-f170.google.com ([209.85.219.170]:34670) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mnvDK-0003ho-JK for 11100@debbugs.gnu.org; Thu, 18 Nov 2021 23:09:27 -0500 Received: by mail-yb1-f170.google.com with SMTP id y68so24810921ybe.1 for <11100@debbugs.gnu.org>; Thu, 18 Nov 2021 20:09:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PAn/E19/4e7sxX9mB8KBVhi09ozwawoWESlXwlsaMfo=; b=xqcC/zxjk4eQhnKVSGB0+L955xE02zcCBBTpN1bkgIXFSNsQx5svCiTs27HmuOu/2v bivSdJdeZP32lMfRFIWDzMWPeCAQBRum8rFUrrvyKvhvemH8YoZEsbqn5pjApT17WP0n b+D4jI9zK60YS2FCpXdg0E3LPP8gQcsFCrmCgtplIKQvMEh9zIDfTi5bmsMakzXZdYD5 Ds34/JBUkNrGa5TCN3AKCssh+BGai6l9MrYGR4nFjvWf33dEagaXPn6ZdrYAtC71OOn5 m1W/tadnXohHl0c0LmlVVZp3uZDHqxUROWjUP4ekAsDkq19kADUUpBNfe4pKdeZVPBcU In/w== X-Gm-Message-State: AOAM5311O/CtiNCAK92fvFF3ze0L6YBFj3k0VN7QsVJtlFPuXDKraa22 mnTUb7J0GxWvKjhxpdQCryGhRValXPq68NgnRHc= X-Google-Smtp-Source: ABdhPJyxZAM8dKPWqdzTRg3IkwX6oapenMhiXdMdlwlgDabGobyYSwGxcFWD4cBaLS9sDFZZu2VF5CEZ30MFNtkCY3k= X-Received: by 2002:a25:e4c7:: with SMTP id b190mr33457249ybh.204.1637294961199; Thu, 18 Nov 2021 20:09:21 -0800 (PST) MIME-Version: 1.0 References: <4c18d2eb-685b-fd99-42a2-d47525965fc6@cs.ucla.edu> In-Reply-To: <4c18d2eb-685b-fd99-42a2-d47525965fc6@cs.ucla.edu> From: Jim Meyering Date: Thu, 18 Nov 2021 20:09:08 -0800 Message-ID: Subject: Re: bug#11100: Racy code in copy.c To: Paul Eggert Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 11100 Cc: 11100@debbugs.gnu.org, Philipp Thomas , =?UTF-8?Q?P=C3=A1draig_Brady?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) On Thu, Nov 18, 2021 at 8:38 AM Paul Eggert wrote: > I spotted a SELinux security-context race introduced by the circa-2012 > fix for Bug#11100, and installed the attached patch into coreutils > master. This also gets rid of a label and goto (which is what led me to > find the issue). Nice! Thanks for finding and fixing my old bug. From unknown Fri Jun 20 07:11:56 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 17 Dec 2021 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator