From unknown Fri Aug 15 14:17:09 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#21913 <21913@debbugs.gnu.org> To: bug#21913 <21913@debbugs.gnu.org> Subject: Status: sed/utils.c temporary file handling code review Reply-To: bug#21913 <21913@debbugs.gnu.org> Date: Fri, 15 Aug 2025 21:17:09 +0000 retitle 21913 sed/utils.c temporary file handling code review reassign 21913 sed submitter 21913 Stanislav Brabec severity 21913 normal tag 21913 moreinfo thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 13 14:36:40 2015 Received: (at submit) by debbugs.gnu.org; 13 Nov 2015 19:36:40 +0000 Received: from localhost ([127.0.0.1]:37460 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZxK9H-0004n0-KD for submit@debbugs.gnu.org; Fri, 13 Nov 2015 14:36:40 -0500 Received: from eggs.gnu.org ([208.118.235.92]:48027) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZxK8x-0004mX-Ob for submit@debbugs.gnu.org; Fri, 13 Nov 2015 14:36:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZxK8w-0002uc-5R for submit@debbugs.gnu.org; Fri, 13 Nov 2015 14:36:19 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: *** X-Spam-Status: No, score=3.3 required=5.0 tests=BAYES_50, RECEIVED_FROM_WINDOWS_HOST autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:53016) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZxK8w-0002uY-24 for submit@debbugs.gnu.org; Fri, 13 Nov 2015 14:36:18 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58031) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZxK8u-0000FM-SP for bug-sed@gnu.org; Fri, 13 Nov 2015 14:36:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZxK8q-0002tp-K0 for bug-sed@gnu.org; Fri, 13 Nov 2015 14:36:16 -0500 Received: from cluster-a.mailcontrol.com ([85.115.52.190]:46516) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZxK8q-0002tG-C6 for bug-sed@gnu.org; Fri, 13 Nov 2015 14:36:12 -0500 Received: from prvxcaht02.microfocus.com ([137.65.249.209]) by rly09a.srv.mailcontrol.com (MailControl) with ESMTPS id tADJ6KcM027228 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 13 Nov 2015 19:06:28 GMT Received: from [10.100.13.32] (10.100.13.32) by mail.microfocus.com (137.65.248.145) with Microsoft SMTP Server (TLS) id 14.3.174.1; Fri, 13 Nov 2015 12:06:20 -0700 To: From: Stanislav Brabec Subject: sed/utils.c temporary file handling code review Organization: SUSE Linux, s. r. o. Message-ID: <564634A9.9070401@suse.com> Date: Fri, 13 Nov 2015 20:06:17 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" X-Originating-IP: [10.100.13.32] X-Scanned-By: MailControl 44278.411 (www.mailcontrol.com) on 10.65.0.119 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by rly09a.srv.mailcontrol.com id tADJ6KcM027228 X-detected-operating-system: by eggs.gnu.org: Windows NT kernel [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) While trying to reproduce an obscure crash with temporary file experienci= ng file system error, I looked deeper into sed/utils.c. I found several stra= nge things. The code handling temporary file seems to be fragile and contains dead ch= unks. See end of this mail and please advise what way to fix you propose? 1. ck_fclose() is (theoretically) vulnerable into a double close, because open_files still contains file being closed while calling do_ck_fclose().= In some error conditions, do_ck_fclose() can call panic(), which manipulates= with open_files and tries to fclose() all files there, including that one just= closed. However, it seems to never happen, as there are other issues. Partial fix for that was sent to the bug-sed list last year [1], but it i= s not in the sed GIT. 2. register_open_file() defines third argument temp (which is actually s= et to true e. g. in ck_mkstemp()). But the argument is never used, and p->temp = is always set to false. 3. 2. makes panic() part inside "if (open_files->temp)" completely void a= nd never called. 4. However it is never called, it has no side effects, as the whole open_file.temp looks completely obsolete. The functionality of it was mov= ed to atexit() cleanup(), and depends on register_cleanup_file(). And register_cleanup_file() is really called in the only place, where register_open_file() would use temp=3Dtrue (the only use is ck_mkstemp(),= and the only use of ck_mkstemp() uses register_cleanup_file() as well). Note that register_open_file() can handle (if it will work) arbitrary num= ber of temporary files, but register_cleanup_file() can handle only one. But it = seems to be no problem. 5. The dead code in panic() uses fclose(); unlink() and it would (if it w= ill be ever called) trigger crash caused by a code mentioned in 1. The new clean= up() code in calls unlink() without fclose(), and dues not use open_files list= , so it could not trigger the crash. What I think should be done with the code? a1. Completely remove third argument of register_open_file(). or a2. Fix register_open_file(). b1. Completely remove code that expected open_files->temp being true. or b2. Must apply c. c. Study the code, and if there is still a chance to out-of-sync mentione= d in 1., prevent it by reordering of lines to a safe order: prev->link =3D cur->link; open_files =3D r.link; do_ck_fclose (cur->fp); d. (optional) As register_open_file() and register_cleanup_file() do near= ly the same, it is possible to convert cleanup() to use open_files, and remo= ve register_cleanup_file() completely. References: [1] Date: Tue, 3 Jun 2014 09:27:28 +1000 From: NeilBrown To: bug-sed@gnu.org Subject: [PATCH sed] ck_fclose should unlink *before* calling do_ck_fclos= e. --=20 Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@suse.com Lihovarsk=E1 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 084 001 Czech Republic http://www.suse.cz/ PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76 From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 18 13:09:34 2015 Received: (at submit) by debbugs.gnu.org; 18 Nov 2015 18:09:35 +0000 Received: from localhost ([127.0.0.1]:43640 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zz7Ak-0007UB-GZ for submit@debbugs.gnu.org; Wed, 18 Nov 2015 13:09:34 -0500 Received: from eggs.gnu.org ([208.118.235.92]:35132) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zz7Aj-0007U3-1n for submit@debbugs.gnu.org; Wed, 18 Nov 2015 13:09:33 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zz7Ah-0006eK-N6 for submit@debbugs.gnu.org; Wed, 18 Nov 2015 13:09:32 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: *** X-Spam-Status: No, score=3.3 required=5.0 tests=BAYES_50, RECEIVED_FROM_WINDOWS_HOST autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:58770) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zz7Ah-0006eG-Jn for submit@debbugs.gnu.org; Wed, 18 Nov 2015 13:09:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45133) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zz7Ag-0001VE-IF for bug-sed@gnu.org; Wed, 18 Nov 2015 13:09:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zz7Aa-0006e4-Ag for bug-sed@gnu.org; Wed, 18 Nov 2015 13:09:30 -0500 Received: from cluster-a.mailcontrol.com ([85.115.52.190]:44613) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zz7Aa-0006d8-37 for bug-sed@gnu.org; Wed, 18 Nov 2015 13:09:24 -0500 Received: from prvxcaht01.microfocus.com ([137.65.249.208]) by rly11a.srv.mailcontrol.com (MailControl) with ESMTPS id tAII9IZ9032988 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL) for ; Wed, 18 Nov 2015 18:09:19 GMT Received: from [10.100.13.32] (10.100.13.32) by mail.microfocus.com (137.65.248.145) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 18 Nov 2015 11:09:17 -0700 Subject: Re: bug#21913: sed/utils.c temporary file handling code review To: References: <564634A9.9070401@suse.com> From: Stanislav Brabec Organization: SUSE Linux, s. r. o. Message-ID: <564CBECB.8090200@suse.com> Date: Wed, 18 Nov 2015 19:09:15 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <564634A9.9070401@suse.com> Content-Type: text/plain; charset="iso-8859-2" X-Originating-IP: [10.100.13.32] X-Scanned-By: MailControl 44278.411 (www.mailcontrol.com) on 10.65.0.121 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by rly11a.srv.mailcontrol.com id tAII9IZ9032988 X-detected-operating-system: by eggs.gnu.org: Windows NT kernel [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Stanislav Brabec wrote: > While trying to reproduce an obscure crash with temporary file experien= cing > file system error, I looked deeper into sed/utils.c. I found several st= range > things. >=20 Here is a detailed regression map: commit 9c9919efe2166efd32409054005619062624226c (initial import in 2004) imported the broken code vulnerable to double fclose() issue and leaving orphan temporary files in some situations. commit 9c9919efe2166efd32409054005619062624226c in 2004 introduced the register_open_file() temporary file bug. No side effects yet. commit 3a8e165ab02487c372df217c1989e287625ce0ae in 2006 started to really= use broken register_open_file() in ck_mkstemp() with third argument "true". I= t caused a regression: keeping orphan files after even more errors than bef= ore, but the regression hides the double fclose() vulnerability. commit 768901548e280726f160a1da4434f3fde8f9921a in 2015 introduced register_cleanup_file() that re-implements broken temporary removal featu= re of register_open_file(). This change hides the register_open_file() tempo= rary file bug. Both mentioned bugs are now present in the code, but probably cannot be triggered. --=20 Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@suse.com Lihovarsk=E1 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 084 001 Czech Republic http://www.suse.cz/ PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76 From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 09 10:26:24 2018 Received: (at 21913) by debbugs.gnu.org; 9 Oct 2018 14:26:24 +0000 Received: from localhost ([127.0.0.1]:42430 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g9sxs-0008Sx-HK for submit@debbugs.gnu.org; Tue, 09 Oct 2018 10:26:24 -0400 Received: from mail-pf1-f170.google.com ([209.85.210.170]:33144) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g9sxp-0008Sc-UB; Tue, 09 Oct 2018 10:26:22 -0400 Received: by mail-pf1-f170.google.com with SMTP id d4-v6so945378pfn.0; Tue, 09 Oct 2018 07:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=tf1KenCfQfnwv928VvpKxXI7EOgYT08RJYpCibGCY8Q=; b=NGI20GTy0eqF2Cd3jQBOL9+qWCteZr/+bJVGDEnh+JlSnMAgLIharg0NA2skorj725 qEe7j02UWhhLH8Wuo8ooDKiMZIQKmZ7JoQRxAnT/0nrxcqvtjKRJAkO1ssPeDNW5rnsF 81qw9bwGkE4wS3DY9C4DkCdZyQXI9OoL/TCHZU2EFSUJsLa61ItvQF0jmX/Y0EFiHDiu cyS52YvfCS9+RioUxOG/XY0LJpZcnRMaUGTYDAZCpisJkuS4dPpLqHSrXTmtgRtNdLX/ Q8o637k3C4ValUOq+5pY72gzOO6Sxq7bpLOE6ly10fFl9zE9jpsqAceIl3xW8ZuxOYm1 BOdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=tf1KenCfQfnwv928VvpKxXI7EOgYT08RJYpCibGCY8Q=; b=qIZhXm3+NMrrfXw9OSDhSgFKoDCPt+FHMGj4fl1UWRGY6euMMtpN00yv5B9AOFIrZk zuQfJRizpxCmb99Mg0KvoMcC2Qmw8X8yrf6ryboFBG+C9Z8D4Bkt4jL9+noJMP0T0PtY ejXhh2PLPlIKE3IqgxzQbC8KwMfvH01R4fke4DOlYDtuESqtzJCgcnd+E+KYCPOqM+HL rcPFHlSKTThC0Q2YHqQa143LtLAqP5MJ4MCNiNSrbt5cMMWIEWUdxZ3wExHVtrK3x7E2 2Bt4IwKoXBr2l6MUBT9TJcijWVnn6plY8E/6sa7+JI5afVD/R4UOA/Wyo1nRWTTsfcLF jrCg== X-Gm-Message-State: ABuFfohBmHviGnnqkIPymTCBXmdaG7D4rRoR4OMfUAaGHsI66pmu8j0z Y2nabIVEXLJ0iIFX6jk4kmhwq9LcBTg= X-Google-Smtp-Source: ACcGV61wuTu3skfVx1G8Ryn1k7vJ31PivZqIP5i2+KtyOkJoPbRnIafLV6xuvTvMMblckKJFgUJtOg== X-Received: by 2002:a63:5353:: with SMTP id t19-v6mr25533039pgl.199.1539095175666; Tue, 09 Oct 2018 07:26:15 -0700 (PDT) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id k24-v6sm10471228pfi.11.2018.10.09.07.26.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Oct 2018 07:26:14 -0700 (PDT) Subject: Re: bug#21913: sed/utils.c temporary file handling code review To: Stanislav Brabec , 21913@debbugs.gnu.org References: <564634A9.9070401@suse.com> <564CBECB.8090200@suse.com> From: Assaf Gordon Message-ID: Date: Tue, 9 Oct 2018 08:26:13 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <564CBECB.8090200@suse.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 21913 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 21913 moreinfo close 21913 stop Hello, (catching up on old reports) On 18/11/15 11:09 AM, Stanislav Brabec wrote: > Stanislav Brabec wrote: >> While trying to reproduce an obscure crash with temporary file >> experiencing file system error, I looked deeper into sed/utils.c. I >> found several strange things.[...] > Both mentioned bugs are now present in the code, but probably cannot > be triggered. Given this conclusion, and with no new information (or new similar bug reports) for almost 3 years, I'm including to close this bug. Discussion can continue by replying to this thread, and if more information arises we can always re-open it. regards, - assaf From unknown Fri Aug 15 14:17:09 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 07 Nov 2018 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator