1 /* Authors: Gregory P. Smith & Jeffrey Yasskin */
2 #include "Python.h"
3 #if defined(HAVE_PIPE2) && !defined(_GNU_SOURCE)
4 # define _GNU_SOURCE
5 #endif
6 #include <unistd.h>
7 #include <fcntl.h>
8 #ifdef HAVE_SYS_TYPES_H
9 #include <sys/types.h>
10 #endif
11 #if defined(HAVE_SYS_STAT_H) && defined(__FreeBSD__)
12 #include <sys/stat.h>
13 #endif
14 #ifdef HAVE_SYS_SYSCALL_H
15 #include <sys/syscall.h>
16 #endif
17 #if defined(HAVE_SYS_RESOURCE_H)
18 #include <sys/resource.h>
19 #endif
20 #ifdef HAVE_DIRENT_H
21 #include <dirent.h>
22 #endif
23 
24 #ifdef _Py_MEMORY_SANITIZER
25 # include <sanitizer/msan_interface.h>
26 #endif
27 
28 #if defined(__ANDROID__) && __ANDROID_API__ < 21 && !defined(SYS_getdents64)
29 # include <sys/linux-syscalls.h>
30 # define SYS_getdents64  __NR_getdents64
31 #endif
32 
33 #if defined(__sun) && defined(__SVR4)
34 /* readdir64 is used to work around Solaris 9 bug 6395699. */
35 # define readdir readdir64
36 # define dirent dirent64
37 # if !defined(HAVE_DIRFD)
38 /* Some versions of Solaris lack dirfd(). */
39 #  define dirfd(dirp) ((dirp)->dd_fd)
40 #  define HAVE_DIRFD
41 # endif
42 #endif
43 
44 #if defined(__FreeBSD__) || (defined(__APPLE__) && defined(__MACH__))
45 # define FD_DIR "/dev/fd"
46 #else
47 # define FD_DIR "/proc/self/fd"
48 #endif
49 
50 #define POSIX_CALL(call)   do { if ((call) == -1) goto error; } while (0)
51 
52 
53 /* If gc was disabled, call gc.enable().  Return 0 on success. */
54 static int
_enable_gc(int need_to_reenable_gc,PyObject * gc_module)55 _enable_gc(int need_to_reenable_gc, PyObject *gc_module)
56 {
57     PyObject *result;
58     _Py_IDENTIFIER(enable);
59     PyObject *exctype, *val, *tb;
60 
61     if (need_to_reenable_gc) {
62         PyErr_Fetch(&exctype, &val, &tb);
63         result = _PyObject_CallMethodId(gc_module, &PyId_enable, NULL);
64         if (exctype != NULL) {
65             PyErr_Restore(exctype, val, tb);
66         }
67         if (result == NULL) {
68             return 1;
69         }
70         Py_DECREF(result);
71     }
72     return 0;
73 }
74 
75 
76 /* Convert ASCII to a positive int, no libc call. no overflow. -1 on error. */
77 static int
_pos_int_from_ascii(const char * name)78 _pos_int_from_ascii(const char *name)
79 {
80     int num = 0;
81     while (*name >= '0' && *name <= '9') {
82         num = num * 10 + (*name - '0');
83         ++name;
84     }
85     if (*name)
86         return -1;  /* Non digit found, not a number. */
87     return num;
88 }
89 
90 
91 #if defined(__FreeBSD__)
92 /* When /dev/fd isn't mounted it is often a static directory populated
93  * with 0 1 2 or entries for 0 .. 63 on FreeBSD, NetBSD and OpenBSD.
94  * NetBSD and OpenBSD have a /proc fs available (though not necessarily
95  * mounted) and do not have fdescfs for /dev/fd.  MacOS X has a devfs
96  * that properly supports /dev/fd.
97  */
98 static int
_is_fdescfs_mounted_on_dev_fd(void)99 _is_fdescfs_mounted_on_dev_fd(void)
100 {
101     struct stat dev_stat;
102     struct stat dev_fd_stat;
103     if (stat("/dev", &dev_stat) != 0)
104         return 0;
105     if (stat(FD_DIR, &dev_fd_stat) != 0)
106         return 0;
107     if (dev_stat.st_dev == dev_fd_stat.st_dev)
108         return 0;  /* / == /dev == /dev/fd means it is static. #fail */
109     return 1;
110 }
111 #endif
112 
113 
114 /* Returns 1 if there is a problem with fd_sequence, 0 otherwise. */
115 static int
_sanity_check_python_fd_sequence(PyObject * fd_sequence)116 _sanity_check_python_fd_sequence(PyObject *fd_sequence)
117 {
118     Py_ssize_t seq_idx;
119     long prev_fd = -1;
120     for (seq_idx = 0; seq_idx < PyTuple_GET_SIZE(fd_sequence); ++seq_idx) {
121         PyObject* py_fd = PyTuple_GET_ITEM(fd_sequence, seq_idx);
122         long iter_fd;
123         if (!PyLong_Check(py_fd)) {
124             return 1;
125         }
126         iter_fd = PyLong_AsLong(py_fd);
127         if (iter_fd < 0 || iter_fd <= prev_fd || iter_fd > INT_MAX) {
128             /* Negative, overflow, unsorted, too big for a fd. */
129             return 1;
130         }
131         prev_fd = iter_fd;
132     }
133     return 0;
134 }
135 
136 
137 /* Is fd found in the sorted Python Sequence? */
138 static int
_is_fd_in_sorted_fd_sequence(int fd,PyObject * fd_sequence)139 _is_fd_in_sorted_fd_sequence(int fd, PyObject *fd_sequence)
140 {
141     /* Binary search. */
142     Py_ssize_t search_min = 0;
143     Py_ssize_t search_max = PyTuple_GET_SIZE(fd_sequence) - 1;
144     if (search_max < 0)
145         return 0;
146     do {
147         long middle = (search_min + search_max) / 2;
148         long middle_fd = PyLong_AsLong(PyTuple_GET_ITEM(fd_sequence, middle));
149         if (fd == middle_fd)
150             return 1;
151         if (fd > middle_fd)
152             search_min = middle + 1;
153         else
154             search_max = middle - 1;
155     } while (search_min <= search_max);
156     return 0;
157 }
158 
159 static int
make_inheritable(PyObject * py_fds_to_keep,int errpipe_write)160 make_inheritable(PyObject *py_fds_to_keep, int errpipe_write)
161 {
162     Py_ssize_t i, len;
163 
164     len = PyTuple_GET_SIZE(py_fds_to_keep);
165     for (i = 0; i < len; ++i) {
166         PyObject* fdobj = PyTuple_GET_ITEM(py_fds_to_keep, i);
167         long fd = PyLong_AsLong(fdobj);
168         assert(!PyErr_Occurred());
169         assert(0 <= fd && fd <= INT_MAX);
170         if (fd == errpipe_write) {
171             /* errpipe_write is part of py_fds_to_keep. It must be closed at
172                exec(), but kept open in the child process until exec() is
173                called. */
174             continue;
175         }
176         if (_Py_set_inheritable_async_safe((int)fd, 1, NULL) < 0)
177             return -1;
178     }
179     return 0;
180 }
181 
182 
183 /* Get the maximum file descriptor that could be opened by this process.
184  * This function is async signal safe for use between fork() and exec().
185  */
186 static long
safe_get_max_fd(void)187 safe_get_max_fd(void)
188 {
189     long local_max_fd;
190 #if defined(__NetBSD__)
191     local_max_fd = fcntl(0, F_MAXFD);
192     if (local_max_fd >= 0)
193         return local_max_fd;
194 #endif
195 #if defined(HAVE_SYS_RESOURCE_H) && defined(__OpenBSD__)
196     struct rlimit rl;
197     /* Not on the POSIX async signal safe functions list but likely
198      * safe.  TODO - Someone should audit OpenBSD to make sure. */
199     if (getrlimit(RLIMIT_NOFILE, &rl) >= 0)
200         return (long) rl.rlim_max;
201 #endif
202 #ifdef _SC_OPEN_MAX
203     local_max_fd = sysconf(_SC_OPEN_MAX);
204     if (local_max_fd == -1)
205 #endif
206         local_max_fd = 256;  /* Matches legacy Lib/subprocess.py behavior. */
207     return local_max_fd;
208 }
209 
210 
211 /* Close all file descriptors in the range from start_fd and higher
212  * except for those in py_fds_to_keep.  If the range defined by
213  * [start_fd, safe_get_max_fd()) is large this will take a long
214  * time as it calls close() on EVERY possible fd.
215  *
216  * It isn't possible to know for sure what the max fd to go up to
217  * is for processes with the capability of raising their maximum.
218  */
219 static void
_close_fds_by_brute_force(long start_fd,PyObject * py_fds_to_keep)220 _close_fds_by_brute_force(long start_fd, PyObject *py_fds_to_keep)
221 {
222     long end_fd = safe_get_max_fd();
223     Py_ssize_t num_fds_to_keep = PyTuple_GET_SIZE(py_fds_to_keep);
224     Py_ssize_t keep_seq_idx;
225     int fd_num;
226     /* As py_fds_to_keep is sorted we can loop through the list closing
227      * fds in between any in the keep list falling within our range. */
228     for (keep_seq_idx = 0; keep_seq_idx < num_fds_to_keep; ++keep_seq_idx) {
229         PyObject* py_keep_fd = PyTuple_GET_ITEM(py_fds_to_keep, keep_seq_idx);
230         int keep_fd = PyLong_AsLong(py_keep_fd);
231         if (keep_fd < start_fd)
232             continue;
233         for (fd_num = start_fd; fd_num < keep_fd; ++fd_num) {
234             close(fd_num);
235         }
236         start_fd = keep_fd + 1;
237     }
238     if (start_fd <= end_fd) {
239         for (fd_num = start_fd; fd_num < end_fd; ++fd_num) {
240             close(fd_num);
241         }
242     }
243 }
244 
245 
246 #if defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)
247 /* It doesn't matter if d_name has room for NAME_MAX chars; we're using this
248  * only to read a directory of short file descriptor number names.  The kernel
249  * will return an error if we didn't give it enough space.  Highly Unlikely.
250  * This structure is very old and stable: It will not change unless the kernel
251  * chooses to break compatibility with all existing binaries.  Highly Unlikely.
252  */
253 struct linux_dirent64 {
254    unsigned long long d_ino;
255    long long d_off;
256    unsigned short d_reclen;     /* Length of this linux_dirent */
257    unsigned char  d_type;
258    char           d_name[256];  /* Filename (null-terminated) */
259 };
260 
261 /* Close all open file descriptors in the range from start_fd and higher
262  * Do not close any in the sorted py_fds_to_keep list.
263  *
264  * This version is async signal safe as it does not make any unsafe C library
265  * calls, malloc calls or handle any locks.  It is _unfortunate_ to be forced
266  * to resort to making a kernel system call directly but this is the ONLY api
267  * available that does no harm.  opendir/readdir/closedir perform memory
268  * allocation and locking so while they usually work they are not guaranteed
269  * to (especially if you have replaced your malloc implementation).  A version
270  * of this function that uses those can be found in the _maybe_unsafe variant.
271  *
272  * This is Linux specific because that is all I am ready to test it on.  It
273  * should be easy to add OS specific dirent or dirent64 structures and modify
274  * it with some cpp #define magic to work on other OSes as well if you want.
275  */
276 static void
_close_open_fds_safe(int start_fd,PyObject * py_fds_to_keep)277 _close_open_fds_safe(int start_fd, PyObject* py_fds_to_keep)
278 {
279     int fd_dir_fd;
280 
281     fd_dir_fd = _Py_open_noraise(FD_DIR, O_RDONLY);
282     if (fd_dir_fd == -1) {
283         /* No way to get a list of open fds. */
284         _close_fds_by_brute_force(start_fd, py_fds_to_keep);
285         return;
286     } else {
287         char buffer[sizeof(struct linux_dirent64)];
288         int bytes;
289         while ((bytes = syscall(SYS_getdents64, fd_dir_fd,
290                                 (struct linux_dirent64 *)buffer,
291                                 sizeof(buffer))) > 0) {
292             struct linux_dirent64 *entry;
293             int offset;
294 #ifdef _Py_MEMORY_SANITIZER
295             __msan_unpoison(buffer, bytes);
296 #endif
297             for (offset = 0; offset < bytes; offset += entry->d_reclen) {
298                 int fd;
299                 entry = (struct linux_dirent64 *)(buffer + offset);
300                 if ((fd = _pos_int_from_ascii(entry->d_name)) < 0)
301                     continue;  /* Not a number. */
302                 if (fd != fd_dir_fd && fd >= start_fd &&
303                     !_is_fd_in_sorted_fd_sequence(fd, py_fds_to_keep)) {
304                     close(fd);
305                 }
306             }
307         }
308         close(fd_dir_fd);
309     }
310 }
311 
312 #define _close_open_fds _close_open_fds_safe
313 
314 #else  /* NOT (defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)) */
315 
316 
317 /* Close all open file descriptors from start_fd and higher.
318  * Do not close any in the sorted py_fds_to_keep tuple.
319  *
320  * This function violates the strict use of async signal safe functions. :(
321  * It calls opendir(), readdir() and closedir().  Of these, the one most
322  * likely to ever cause a problem is opendir() as it performs an internal
323  * malloc().  Practically this should not be a problem.  The Java VM makes the
324  * same calls between fork and exec in its own UNIXProcess_md.c implementation.
325  *
326  * readdir_r() is not used because it provides no benefit.  It is typically
327  * implemented as readdir() followed by memcpy().  See also:
328  *   http://womble.decadent.org.uk/readdir_r-advisory.html
329  */
330 static void
_close_open_fds_maybe_unsafe(long start_fd,PyObject * py_fds_to_keep)331 _close_open_fds_maybe_unsafe(long start_fd, PyObject* py_fds_to_keep)
332 {
333     DIR *proc_fd_dir;
334 #ifndef HAVE_DIRFD
335     while (_is_fd_in_sorted_fd_sequence(start_fd, py_fds_to_keep)) {
336         ++start_fd;
337     }
338     /* Close our lowest fd before we call opendir so that it is likely to
339      * reuse that fd otherwise we might close opendir's file descriptor in
340      * our loop.  This trick assumes that fd's are allocated on a lowest
341      * available basis. */
342     close(start_fd);
343     ++start_fd;
344 #endif
345 
346 #if defined(__FreeBSD__)
347     if (!_is_fdescfs_mounted_on_dev_fd())
348         proc_fd_dir = NULL;
349     else
350 #endif
351         proc_fd_dir = opendir(FD_DIR);
352     if (!proc_fd_dir) {
353         /* No way to get a list of open fds. */
354         _close_fds_by_brute_force(start_fd, py_fds_to_keep);
355     } else {
356         struct dirent *dir_entry;
357 #ifdef HAVE_DIRFD
358         int fd_used_by_opendir = dirfd(proc_fd_dir);
359 #else
360         int fd_used_by_opendir = start_fd - 1;
361 #endif
362         errno = 0;
363         while ((dir_entry = readdir(proc_fd_dir))) {
364             int fd;
365             if ((fd = _pos_int_from_ascii(dir_entry->d_name)) < 0)
366                 continue;  /* Not a number. */
367             if (fd != fd_used_by_opendir && fd >= start_fd &&
368                 !_is_fd_in_sorted_fd_sequence(fd, py_fds_to_keep)) {
369                 close(fd);
370             }
371             errno = 0;
372         }
373         if (errno) {
374             /* readdir error, revert behavior. Highly Unlikely. */
375             _close_fds_by_brute_force(start_fd, py_fds_to_keep);
376         }
377         closedir(proc_fd_dir);
378     }
379 }
380 
381 #define _close_open_fds _close_open_fds_maybe_unsafe
382 
383 #endif  /* else NOT (defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)) */
384 
385 
386 /*
387  * This function is code executed in the child process immediately after fork
388  * to set things up and call exec().
389  *
390  * All of the code in this function must only use async-signal-safe functions,
391  * listed at `man 7 signal` or
392  * http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html.
393  *
394  * This restriction is documented at
395  * http://www.opengroup.org/onlinepubs/009695399/functions/fork.html.
396  */
397 static void
child_exec(char * const exec_array[],char * const argv[],char * const envp[],const char * cwd,int p2cread,int p2cwrite,int c2pread,int c2pwrite,int errread,int errwrite,int errpipe_read,int errpipe_write,int close_fds,int restore_signals,int call_setsid,PyObject * py_fds_to_keep,PyObject * preexec_fn,PyObject * preexec_fn_args_tuple)398 child_exec(char *const exec_array[],
399            char *const argv[],
400            char *const envp[],
401            const char *cwd,
402            int p2cread, int p2cwrite,
403            int c2pread, int c2pwrite,
404            int errread, int errwrite,
405            int errpipe_read, int errpipe_write,
406            int close_fds, int restore_signals,
407            int call_setsid,
408            PyObject *py_fds_to_keep,
409            PyObject *preexec_fn,
410            PyObject *preexec_fn_args_tuple)
411 {
412     int i, saved_errno, reached_preexec = 0;
413     PyObject *result;
414     const char* err_msg = "";
415     /* Buffer large enough to hold a hex integer.  We can't malloc. */
416     char hex_errno[sizeof(saved_errno)*2+1];
417 
418     if (make_inheritable(py_fds_to_keep, errpipe_write) < 0)
419         goto error;
420 
421     /* Close parent's pipe ends. */
422     if (p2cwrite != -1)
423         POSIX_CALL(close(p2cwrite));
424     if (c2pread != -1)
425         POSIX_CALL(close(c2pread));
426     if (errread != -1)
427         POSIX_CALL(close(errread));
428     POSIX_CALL(close(errpipe_read));
429 
430     /* When duping fds, if there arises a situation where one of the fds is
431        either 0, 1 or 2, it is possible that it is overwritten (#12607). */
432     if (c2pwrite == 0) {
433         POSIX_CALL(c2pwrite = dup(c2pwrite));
434         /* issue32270 */
435         if (_Py_set_inheritable_async_safe(c2pwrite, 0, NULL) < 0) {
436             goto error;
437         }
438     }
439     while (errwrite == 0 || errwrite == 1) {
440         POSIX_CALL(errwrite = dup(errwrite));
441         /* issue32270 */
442         if (_Py_set_inheritable_async_safe(errwrite, 0, NULL) < 0) {
443             goto error;
444         }
445     }
446 
447     /* Dup fds for child.
448        dup2() removes the CLOEXEC flag but we must do it ourselves if dup2()
449        would be a no-op (issue #10806). */
450     if (p2cread == 0) {
451         if (_Py_set_inheritable_async_safe(p2cread, 1, NULL) < 0)
452             goto error;
453     }
454     else if (p2cread != -1)
455         POSIX_CALL(dup2(p2cread, 0));  /* stdin */
456 
457     if (c2pwrite == 1) {
458         if (_Py_set_inheritable_async_safe(c2pwrite, 1, NULL) < 0)
459             goto error;
460     }
461     else if (c2pwrite != -1)
462         POSIX_CALL(dup2(c2pwrite, 1));  /* stdout */
463 
464     if (errwrite == 2) {
465         if (_Py_set_inheritable_async_safe(errwrite, 1, NULL) < 0)
466             goto error;
467     }
468     else if (errwrite != -1)
469         POSIX_CALL(dup2(errwrite, 2));  /* stderr */
470 
471     /* We no longer manually close p2cread, c2pwrite, and errwrite here as
472      * _close_open_fds takes care when it is not already non-inheritable. */
473 
474     if (cwd)
475         POSIX_CALL(chdir(cwd));
476 
477     if (restore_signals)
478         _Py_RestoreSignals();
479 
480 #ifdef HAVE_SETSID
481     if (call_setsid)
482         POSIX_CALL(setsid());
483 #endif
484 
485     reached_preexec = 1;
486     if (preexec_fn != Py_None && preexec_fn_args_tuple) {
487         /* This is where the user has asked us to deadlock their program. */
488         result = PyObject_Call(preexec_fn, preexec_fn_args_tuple, NULL);
489         if (result == NULL) {
490             /* Stringifying the exception or traceback would involve
491              * memory allocation and thus potential for deadlock.
492              * We've already faced potential deadlock by calling back
493              * into Python in the first place, so it probably doesn't
494              * matter but we avoid it to minimize the possibility. */
495             err_msg = "Exception occurred in preexec_fn.";
496             errno = 0;  /* We don't want to report an OSError. */
497             goto error;
498         }
499         /* Py_DECREF(result); - We're about to exec so why bother? */
500     }
501 
502     /* close FDs after executing preexec_fn, which might open FDs */
503     if (close_fds) {
504         /* TODO HP-UX could use pstat_getproc() if anyone cares about it. */
505         _close_open_fds(3, py_fds_to_keep);
506     }
507 
508     /* This loop matches the Lib/os.py _execvpe()'s PATH search when */
509     /* given the executable_list generated by Lib/subprocess.py.     */
510     saved_errno = 0;
511     for (i = 0; exec_array[i] != NULL; ++i) {
512         const char *executable = exec_array[i];
513         if (envp) {
514             execve(executable, argv, envp);
515         } else {
516             execv(executable, argv);
517         }
518         if (errno != ENOENT && errno != ENOTDIR && saved_errno == 0) {
519             saved_errno = errno;
520         }
521     }
522     /* Report the first exec error, not the last. */
523     if (saved_errno)
524         errno = saved_errno;
525 
526 error:
527     saved_errno = errno;
528     /* Report the posix error to our parent process. */
529     /* We ignore all write() return values as the total size of our writes is
530        less than PIPEBUF and we cannot do anything about an error anyways.
531        Use _Py_write_noraise() to retry write() if it is interrupted by a
532        signal (fails with EINTR). */
533     if (saved_errno) {
534         char *cur;
535         _Py_write_noraise(errpipe_write, "OSError:", 8);
536         cur = hex_errno + sizeof(hex_errno);
537         while (saved_errno != 0 && cur != hex_errno) {
538             *--cur = Py_hexdigits[saved_errno % 16];
539             saved_errno /= 16;
540         }
541         _Py_write_noraise(errpipe_write, cur, hex_errno + sizeof(hex_errno) - cur);
542         _Py_write_noraise(errpipe_write, ":", 1);
543         if (!reached_preexec) {
544             /* Indicate to the parent that the error happened before exec(). */
545             _Py_write_noraise(errpipe_write, "noexec", 6);
546         }
547         /* We can't call strerror(saved_errno).  It is not async signal safe.
548          * The parent process will look the error message up. */
549     } else {
550         _Py_write_noraise(errpipe_write, "SubprocessError:0:", 18);
551         _Py_write_noraise(errpipe_write, err_msg, strlen(err_msg));
552     }
553 }
554 
555 
556 static PyObject *
subprocess_fork_exec(PyObject * self,PyObject * args)557 subprocess_fork_exec(PyObject* self, PyObject *args)
558 {
559     PyObject *gc_module = NULL;
560     PyObject *executable_list, *py_fds_to_keep;
561     PyObject *env_list, *preexec_fn;
562     PyObject *process_args, *converted_args = NULL, *fast_args = NULL;
563     PyObject *preexec_fn_args_tuple = NULL;
564     int p2cread, p2cwrite, c2pread, c2pwrite, errread, errwrite;
565     int errpipe_read, errpipe_write, close_fds, restore_signals;
566     int call_setsid;
567     PyObject *cwd_obj, *cwd_obj2;
568     const char *cwd;
569     pid_t pid;
570     int need_to_reenable_gc = 0;
571     char *const *exec_array, *const *argv = NULL, *const *envp = NULL;
572     Py_ssize_t arg_num;
573     int need_after_fork = 0;
574     int saved_errno = 0;
575 
576     if (!PyArg_ParseTuple(
577             args, "OOpO!OOiiiiiiiiiiO:fork_exec",
578             &process_args, &executable_list,
579             &close_fds, &PyTuple_Type, &py_fds_to_keep,
580             &cwd_obj, &env_list,
581             &p2cread, &p2cwrite, &c2pread, &c2pwrite,
582             &errread, &errwrite, &errpipe_read, &errpipe_write,
583             &restore_signals, &call_setsid, &preexec_fn))
584         return NULL;
585 
586     if (close_fds && errpipe_write < 3) {  /* precondition */
587         PyErr_SetString(PyExc_ValueError, "errpipe_write must be >= 3");
588         return NULL;
589     }
590     if (_sanity_check_python_fd_sequence(py_fds_to_keep)) {
591         PyErr_SetString(PyExc_ValueError, "bad value(s) in fds_to_keep");
592         return NULL;
593     }
594 
595     /* We need to call gc.disable() when we'll be calling preexec_fn */
596     if (preexec_fn != Py_None) {
597         PyObject *result;
598         _Py_IDENTIFIER(isenabled);
599         _Py_IDENTIFIER(disable);
600 
601         gc_module = PyImport_ImportModule("gc");
602         if (gc_module == NULL)
603             return NULL;
604         result = _PyObject_CallMethodId(gc_module, &PyId_isenabled, NULL);
605         if (result == NULL) {
606             Py_DECREF(gc_module);
607             return NULL;
608         }
609         need_to_reenable_gc = PyObject_IsTrue(result);
610         Py_DECREF(result);
611         if (need_to_reenable_gc == -1) {
612             Py_DECREF(gc_module);
613             return NULL;
614         }
615         result = _PyObject_CallMethodId(gc_module, &PyId_disable, NULL);
616         if (result == NULL) {
617             Py_DECREF(gc_module);
618             return NULL;
619         }
620         Py_DECREF(result);
621     }
622 
623     exec_array = _PySequence_BytesToCharpArray(executable_list);
624     if (!exec_array)
625         goto cleanup;
626 
627     /* Convert args and env into appropriate arguments for exec() */
628     /* These conversions are done in the parent process to avoid allocating
629        or freeing memory in the child process. */
630     if (process_args != Py_None) {
631         Py_ssize_t num_args;
632         /* Equivalent to:  */
633         /*  tuple(PyUnicode_FSConverter(arg) for arg in process_args)  */
634         fast_args = PySequence_Fast(process_args, "argv must be a tuple");
635         if (fast_args == NULL)
636             goto cleanup;
637         num_args = PySequence_Fast_GET_SIZE(fast_args);
638         converted_args = PyTuple_New(num_args);
639         if (converted_args == NULL)
640             goto cleanup;
641         for (arg_num = 0; arg_num < num_args; ++arg_num) {
642             PyObject *borrowed_arg, *converted_arg;
643             if (PySequence_Fast_GET_SIZE(fast_args) != num_args) {
644                 PyErr_SetString(PyExc_RuntimeError, "args changed during iteration");
645                 goto cleanup;
646             }
647             borrowed_arg = PySequence_Fast_GET_ITEM(fast_args, arg_num);
648             if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0)
649                 goto cleanup;
650             PyTuple_SET_ITEM(converted_args, arg_num, converted_arg);
651         }
652 
653         argv = _PySequence_BytesToCharpArray(converted_args);
654         Py_CLEAR(converted_args);
655         Py_CLEAR(fast_args);
656         if (!argv)
657             goto cleanup;
658     }
659 
660     if (env_list != Py_None) {
661         envp = _PySequence_BytesToCharpArray(env_list);
662         if (!envp)
663             goto cleanup;
664     }
665 
666     if (cwd_obj != Py_None) {
667         if (PyUnicode_FSConverter(cwd_obj, &cwd_obj2) == 0)
668             goto cleanup;
669         cwd = PyBytes_AsString(cwd_obj2);
670     } else {
671         cwd = NULL;
672         cwd_obj2 = NULL;
673     }
674 
675     /* This must be the last thing done before fork() because we do not
676      * want to call PyOS_BeforeFork() if there is any chance of another
677      * error leading to the cleanup: code without calling fork(). */
678     if (preexec_fn != Py_None) {
679         preexec_fn_args_tuple = PyTuple_New(0);
680         if (!preexec_fn_args_tuple)
681             goto cleanup;
682         PyOS_BeforeFork();
683         need_after_fork = 1;
684     }
685 
686     pid = fork();
687     if (pid == 0) {
688         /* Child process */
689         /*
690          * Code from here to _exit() must only use async-signal-safe functions,
691          * listed at `man 7 signal` or
692          * http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html.
693          */
694 
695         if (preexec_fn != Py_None) {
696             /* We'll be calling back into Python later so we need to do this.
697              * This call may not be async-signal-safe but neither is calling
698              * back into Python.  The user asked us to use hope as a strategy
699              * to avoid deadlock... */
700             PyOS_AfterFork_Child();
701         }
702 
703         child_exec(exec_array, argv, envp, cwd,
704                    p2cread, p2cwrite, c2pread, c2pwrite,
705                    errread, errwrite, errpipe_read, errpipe_write,
706                    close_fds, restore_signals, call_setsid,
707                    py_fds_to_keep, preexec_fn, preexec_fn_args_tuple);
708         _exit(255);
709         return NULL;  /* Dead code to avoid a potential compiler warning. */
710     }
711     /* Parent (original) process */
712     if (pid == -1) {
713         /* Capture errno for the exception. */
714         saved_errno = errno;
715     }
716 
717     Py_XDECREF(cwd_obj2);
718 
719     if (need_after_fork)
720         PyOS_AfterFork_Parent();
721     if (envp)
722         _Py_FreeCharPArray(envp);
723     if (argv)
724         _Py_FreeCharPArray(argv);
725     _Py_FreeCharPArray(exec_array);
726 
727     /* Reenable gc in the parent process (or if fork failed). */
728     if (_enable_gc(need_to_reenable_gc, gc_module)) {
729         pid = -1;
730     }
731     Py_XDECREF(preexec_fn_args_tuple);
732     Py_XDECREF(gc_module);
733 
734     if (pid == -1) {
735         errno = saved_errno;
736         /* We can't call this above as PyOS_AfterFork_Parent() calls back
737          * into Python code which would see the unreturned error. */
738         PyErr_SetFromErrno(PyExc_OSError);
739         return NULL;  /* fork() failed. */
740     }
741 
742     return PyLong_FromPid(pid);
743 
744 cleanup:
745     if (envp)
746         _Py_FreeCharPArray(envp);
747     if (argv)
748         _Py_FreeCharPArray(argv);
749     if (exec_array)
750         _Py_FreeCharPArray(exec_array);
751     Py_XDECREF(converted_args);
752     Py_XDECREF(fast_args);
753     Py_XDECREF(preexec_fn_args_tuple);
754     _enable_gc(need_to_reenable_gc, gc_module);
755     Py_XDECREF(gc_module);
756     return NULL;
757 }
758 
759 
760 PyDoc_STRVAR(subprocess_fork_exec_doc,
761 "fork_exec(args, executable_list, close_fds, cwd, env,\n\
762           p2cread, p2cwrite, c2pread, c2pwrite,\n\
763           errread, errwrite, errpipe_read, errpipe_write,\n\
764           restore_signals, call_setsid, preexec_fn)\n\
765 \n\
766 Forks a child process, closes parent file descriptors as appropriate in the\n\
767 child and dups the few that are needed before calling exec() in the child\n\
768 process.\n\
769 \n\
770 The preexec_fn, if supplied, will be called immediately before exec.\n\
771 WARNING: preexec_fn is NOT SAFE if your application uses threads.\n\
772          It may trigger infrequent, difficult to debug deadlocks.\n\
773 \n\
774 If an error occurs in the child process before the exec, it is\n\
775 serialized and written to the errpipe_write fd per subprocess.py.\n\
776 \n\
777 Returns: the child process's PID.\n\
778 \n\
779 Raises: Only on an error in the parent process.\n\
780 ");
781 
782 /* module level code ********************************************************/
783 
784 PyDoc_STRVAR(module_doc,
785 "A POSIX helper for the subprocess module.");
786 
787 
788 static PyMethodDef module_methods[] = {
789     {"fork_exec", subprocess_fork_exec, METH_VARARGS, subprocess_fork_exec_doc},
790     {NULL, NULL}  /* sentinel */
791 };
792 
793 
794 static struct PyModuleDef _posixsubprocessmodule = {
795         PyModuleDef_HEAD_INIT,
796         "_posixsubprocess",
797         module_doc,
798         -1,  /* No memory is needed. */
799         module_methods,
800 };
801 
802 PyMODINIT_FUNC
PyInit__posixsubprocess(void)803 PyInit__posixsubprocess(void)
804 {
805     return PyModule_Create(&_posixsubprocessmodule);
806 }
807