From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 27 00:36:00 2019
Received: (at submit) by debbugs.gnu.org; 27 Nov 2019 05:36:00 +0000
Received: from localhost ([127.0.0.1]:53310 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iZpzc-0004zH-Ip
	for submit@debbugs.gnu.org; Wed, 27 Nov 2019 00:36:00 -0500
Received: from lists.gnu.org ([209.51.188.17]:49697)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zefram@fysh.org>) id 1iZpzZ-0004z7-OH
 for submit@debbugs.gnu.org; Wed, 27 Nov 2019 00:35:58 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:40772)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <zefram@fysh.org>) id 1iZpzY-0005QF-7v
 for bug-guile@gnu.org; Wed, 27 Nov 2019 00:35:57 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <zefram@fysh.org>) id 1iZpyT-0007Ud-3h
 for bug-guile@gnu.org; Wed, 27 Nov 2019 00:34:50 -0500
Received: from mail.fysh.org ([2001:41d0:d:20da::7]:42340 helo=river.fysh.org)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <zefram@fysh.org>) id 1iZpyS-0007Mq-Kw
 for bug-guile@gnu.org; Wed, 27 Nov 2019 00:34:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fysh.org;
 s=20170316; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:
 Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=gGJh/dhhUVfejvPPtFdVAzMd+E84Fed1x9H+P53LMY4=; b=4KJQUJZWLYJwD48SaF+rwyNchg
 erYox5S3JpC+8poU2nF6l6V6yCRQMGg7p5udPI4kMkgz+AJFOaJb1NsJECIWF50+qtt7Vw/c7dLjl
 kjmKavM6QwoPp/vWKiowrZdFeXlQFtpPaU3lioDiZ9AWU0Xp7fuezI2eR3MlYceAGxdo=;
Received: from zefram by river.fysh.org with local (Exim 4.89 #1 (Debian))
 id 1iZpyI-0002xF-Gd; Wed, 27 Nov 2019 05:34:38 +0000
Date: Wed, 27 Nov 2019 05:34:38 +0000
From: Zefram <zefram@fysh.org>
To: bug-guile@gnu.org
Subject: internal fds leak across exec
Message-ID: <20191127053438.6nm2sau5ohuifcxe@fysh.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2001:41d0:d:20da::7
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Where Guile opens a file in order to read code from it, that file
descriptor ought to be private to Guile, in the sense that it should
not be passed on to another program across exec.  But it is so leaked,
as can be seen especially clearly using Linux's /proc/*/fd feature:

$ cat /tmp/t0
(system
  (string-append "ls -l /proc/" (number->string (getpid))
    "/fd; ls -l /proc/self/fd"))
$ guile-2.2.6 --no-auto-compile -s /tmp/t0
total 0
lrwx------ 1 zefram zefram 64 Nov 27 05:21 0 -> /dev/pts/4
lrwx------ 1 zefram zefram 64 Nov 27 05:21 1 -> /dev/pts/4
lrwx------ 1 zefram zefram 64 Nov 27 05:21 2 -> /dev/pts/4
lr-x------ 1 zefram zefram 64 Nov 27 05:21 3 -> pipe:[59357425]
l-wx------ 1 zefram zefram 64 Nov 27 05:21 4 -> pipe:[59357425]
lr-x------ 1 zefram zefram 64 Nov 27 05:21 5 -> pipe:[59357426]
l-wx------ 1 zefram zefram 64 Nov 27 05:21 6 -> pipe:[59357426]
lr-x------ 1 zefram zefram 64 Nov 27 05:21 7 -> /tmp/t0
total 0
lrwx------ 1 zefram zefram 64 Nov 27 05:21 0 -> /dev/pts/4
lrwx------ 1 zefram zefram 64 Nov 27 05:21 1 -> /dev/pts/4
lrwx------ 1 zefram zefram 64 Nov 27 05:21 2 -> /dev/pts/4
lr-x------ 1 zefram zefram 64 Nov 27 05:21 3 -> /proc/3649/fd
lr-x------ 1 zefram zefram 64 Nov 27 05:21 7 -> /tmp/t0
$

Observe that the Guile process has open both the script file and a couple
of pipes.  The ls process also has a file descriptor on the script file,
though it does not have the pipes open.  Clearly Guile has leaked the
script fd, but has avoided leaking the pipe fds.

The script fd ought to have the FD_CLOEXEC flag set.  Preferably,
that flag should be set immediately upon opening the file, by means of
the O_CLOEXEC flag.  I note that pipes opened by the thread system are
already opened with O_CLOEXEC.

Guile 2.0 behaves the same as 2.2 in this respect.  Guile 1.8 leaks
both the script fd and the pipe fds.  Guile 1.6 doesn't open any pipes
in this test, and also leaks the script fd.

-zefram