1 /* Authors: Gregory P. Smith & Jeffrey Yasskin */
2 #include "Python.h"
3 #if defined(HAVE_PIPE2) && !defined(_GNU_SOURCE)
4 # define _GNU_SOURCE
5 #endif
6 #include <unistd.h>
7 #include <fcntl.h>
8 #ifdef HAVE_SYS_TYPES_H
9 #include <sys/types.h>
10 #endif
11 #if defined(HAVE_SYS_STAT_H)
12 #include <sys/stat.h>
13 #endif
14 #ifdef HAVE_SYS_SYSCALL_H
15 #include <sys/syscall.h>
16 #endif
17 #if defined(HAVE_SYS_RESOURCE_H)
18 #include <sys/resource.h>
19 #endif
20 #ifdef HAVE_DIRENT_H
21 #include <dirent.h>
22 #endif
23 #ifdef HAVE_GRP_H
24 #include <grp.h>
25 #endif /* HAVE_GRP_H */
26 
27 #include "posixmodule.h"
28 
29 #ifdef _Py_MEMORY_SANITIZER
30 # include <sanitizer/msan_interface.h>
31 #endif
32 
33 #if defined(__ANDROID__) && __ANDROID_API__ < 21 && !defined(SYS_getdents64)
34 # include <sys/linux-syscalls.h>
35 # define SYS_getdents64  __NR_getdents64
36 #endif
37 
38 #if defined(__sun) && defined(__SVR4)
39 /* readdir64 is used to work around Solaris 9 bug 6395699. */
40 # define readdir readdir64
41 # define dirent dirent64
42 # if !defined(HAVE_DIRFD)
43 /* Some versions of Solaris lack dirfd(). */
44 #  define dirfd(dirp) ((dirp)->dd_fd)
45 #  define HAVE_DIRFD
46 # endif
47 #endif
48 
49 #if defined(__FreeBSD__) || (defined(__APPLE__) && defined(__MACH__))
50 # define FD_DIR "/dev/fd"
51 #else
52 # define FD_DIR "/proc/self/fd"
53 #endif
54 
55 #ifdef NGROUPS_MAX
56 #define MAX_GROUPS NGROUPS_MAX
57 #else
58 #define MAX_GROUPS 64
59 #endif
60 
61 #define POSIX_CALL(call)   do { if ((call) == -1) goto error; } while (0)
62 
63 typedef struct {
64     PyObject* disable;
65     PyObject* enable;
66     PyObject* isenabled;
67 } _posixsubprocessstate;
68 
69 static struct PyModuleDef _posixsubprocessmodule;
70 
71 static inline _posixsubprocessstate*
get_posixsubprocess_state(PyObject * module)72 get_posixsubprocess_state(PyObject *module)
73 {
74     void *state = PyModule_GetState(module);
75     assert(state != NULL);
76     return (_posixsubprocessstate *)state;
77 }
78 
79 #define _posixsubprocessstate_global get_posixsubprocess_state(PyState_FindModule(&_posixsubprocessmodule))
80 
81 /* If gc was disabled, call gc.enable().  Return 0 on success. */
82 static int
_enable_gc(int need_to_reenable_gc,PyObject * gc_module)83 _enable_gc(int need_to_reenable_gc, PyObject *gc_module)
84 {
85     PyObject *result;
86     PyObject *exctype, *val, *tb;
87 
88     if (need_to_reenable_gc) {
89         PyErr_Fetch(&exctype, &val, &tb);
90         result = PyObject_CallMethodNoArgs(
91             gc_module, _posixsubprocessstate_global->enable);
92         if (exctype != NULL) {
93             PyErr_Restore(exctype, val, tb);
94         }
95         if (result == NULL) {
96             return 1;
97         }
98         Py_DECREF(result);
99     }
100     return 0;
101 }
102 
103 
104 /* Convert ASCII to a positive int, no libc call. no overflow. -1 on error. */
105 static int
_pos_int_from_ascii(const char * name)106 _pos_int_from_ascii(const char *name)
107 {
108     int num = 0;
109     while (*name >= '0' && *name <= '9') {
110         num = num * 10 + (*name - '0');
111         ++name;
112     }
113     if (*name)
114         return -1;  /* Non digit found, not a number. */
115     return num;
116 }
117 
118 
119 #if defined(__FreeBSD__)
120 /* When /dev/fd isn't mounted it is often a static directory populated
121  * with 0 1 2 or entries for 0 .. 63 on FreeBSD, NetBSD and OpenBSD.
122  * NetBSD and OpenBSD have a /proc fs available (though not necessarily
123  * mounted) and do not have fdescfs for /dev/fd.  MacOS X has a devfs
124  * that properly supports /dev/fd.
125  */
126 static int
_is_fdescfs_mounted_on_dev_fd(void)127 _is_fdescfs_mounted_on_dev_fd(void)
128 {
129     struct stat dev_stat;
130     struct stat dev_fd_stat;
131     if (stat("/dev", &dev_stat) != 0)
132         return 0;
133     if (stat(FD_DIR, &dev_fd_stat) != 0)
134         return 0;
135     if (dev_stat.st_dev == dev_fd_stat.st_dev)
136         return 0;  /* / == /dev == /dev/fd means it is static. #fail */
137     return 1;
138 }
139 #endif
140 
141 
142 /* Returns 1 if there is a problem with fd_sequence, 0 otherwise. */
143 static int
_sanity_check_python_fd_sequence(PyObject * fd_sequence)144 _sanity_check_python_fd_sequence(PyObject *fd_sequence)
145 {
146     Py_ssize_t seq_idx;
147     long prev_fd = -1;
148     for (seq_idx = 0; seq_idx < PyTuple_GET_SIZE(fd_sequence); ++seq_idx) {
149         PyObject* py_fd = PyTuple_GET_ITEM(fd_sequence, seq_idx);
150         long iter_fd;
151         if (!PyLong_Check(py_fd)) {
152             return 1;
153         }
154         iter_fd = PyLong_AsLong(py_fd);
155         if (iter_fd < 0 || iter_fd <= prev_fd || iter_fd > INT_MAX) {
156             /* Negative, overflow, unsorted, too big for a fd. */
157             return 1;
158         }
159         prev_fd = iter_fd;
160     }
161     return 0;
162 }
163 
164 
165 /* Is fd found in the sorted Python Sequence? */
166 static int
_is_fd_in_sorted_fd_sequence(int fd,PyObject * fd_sequence)167 _is_fd_in_sorted_fd_sequence(int fd, PyObject *fd_sequence)
168 {
169     /* Binary search. */
170     Py_ssize_t search_min = 0;
171     Py_ssize_t search_max = PyTuple_GET_SIZE(fd_sequence) - 1;
172     if (search_max < 0)
173         return 0;
174     do {
175         long middle = (search_min + search_max) / 2;
176         long middle_fd = PyLong_AsLong(PyTuple_GET_ITEM(fd_sequence, middle));
177         if (fd == middle_fd)
178             return 1;
179         if (fd > middle_fd)
180             search_min = middle + 1;
181         else
182             search_max = middle - 1;
183     } while (search_min <= search_max);
184     return 0;
185 }
186 
187 static int
make_inheritable(PyObject * py_fds_to_keep,int errpipe_write)188 make_inheritable(PyObject *py_fds_to_keep, int errpipe_write)
189 {
190     Py_ssize_t i, len;
191 
192     len = PyTuple_GET_SIZE(py_fds_to_keep);
193     for (i = 0; i < len; ++i) {
194         PyObject* fdobj = PyTuple_GET_ITEM(py_fds_to_keep, i);
195         long fd = PyLong_AsLong(fdobj);
196         assert(!PyErr_Occurred());
197         assert(0 <= fd && fd <= INT_MAX);
198         if (fd == errpipe_write) {
199             /* errpipe_write is part of py_fds_to_keep. It must be closed at
200                exec(), but kept open in the child process until exec() is
201                called. */
202             continue;
203         }
204         if (_Py_set_inheritable_async_safe((int)fd, 1, NULL) < 0)
205             return -1;
206     }
207     return 0;
208 }
209 
210 
211 /* Get the maximum file descriptor that could be opened by this process.
212  * This function is async signal safe for use between fork() and exec().
213  */
214 static long
safe_get_max_fd(void)215 safe_get_max_fd(void)
216 {
217     long local_max_fd;
218 #if defined(__NetBSD__)
219     local_max_fd = fcntl(0, F_MAXFD);
220     if (local_max_fd >= 0)
221         return local_max_fd;
222 #endif
223 #if defined(HAVE_SYS_RESOURCE_H) && defined(__OpenBSD__)
224     struct rlimit rl;
225     /* Not on the POSIX async signal safe functions list but likely
226      * safe.  TODO - Someone should audit OpenBSD to make sure. */
227     if (getrlimit(RLIMIT_NOFILE, &rl) >= 0)
228         return (long) rl.rlim_max;
229 #endif
230 #ifdef _SC_OPEN_MAX
231     local_max_fd = sysconf(_SC_OPEN_MAX);
232     if (local_max_fd == -1)
233 #endif
234         local_max_fd = 256;  /* Matches legacy Lib/subprocess.py behavior. */
235     return local_max_fd;
236 }
237 
238 
239 /* Close all file descriptors in the range from start_fd and higher
240  * except for those in py_fds_to_keep.  If the range defined by
241  * [start_fd, safe_get_max_fd()) is large this will take a long
242  * time as it calls close() on EVERY possible fd.
243  *
244  * It isn't possible to know for sure what the max fd to go up to
245  * is for processes with the capability of raising their maximum.
246  */
247 static void
_close_fds_by_brute_force(long start_fd,PyObject * py_fds_to_keep)248 _close_fds_by_brute_force(long start_fd, PyObject *py_fds_to_keep)
249 {
250     long end_fd = safe_get_max_fd();
251     Py_ssize_t num_fds_to_keep = PyTuple_GET_SIZE(py_fds_to_keep);
252     Py_ssize_t keep_seq_idx;
253     int fd_num;
254     /* As py_fds_to_keep is sorted we can loop through the list closing
255      * fds in between any in the keep list falling within our range. */
256     for (keep_seq_idx = 0; keep_seq_idx < num_fds_to_keep; ++keep_seq_idx) {
257         PyObject* py_keep_fd = PyTuple_GET_ITEM(py_fds_to_keep, keep_seq_idx);
258         int keep_fd = PyLong_AsLong(py_keep_fd);
259         if (keep_fd < start_fd)
260             continue;
261         for (fd_num = start_fd; fd_num < keep_fd; ++fd_num) {
262             close(fd_num);
263         }
264         start_fd = keep_fd + 1;
265     }
266     if (start_fd <= end_fd) {
267 #if defined(__FreeBSD__)
268         /* Any errors encountered while closing file descriptors are ignored */
269         closefrom(start_fd);
270 #else
271         for (fd_num = start_fd; fd_num < end_fd; ++fd_num) {
272             /* Ignore errors */
273             (void)close(fd_num);
274         }
275 #endif
276     }
277 }
278 
279 
280 #if defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)
281 /* It doesn't matter if d_name has room for NAME_MAX chars; we're using this
282  * only to read a directory of short file descriptor number names.  The kernel
283  * will return an error if we didn't give it enough space.  Highly Unlikely.
284  * This structure is very old and stable: It will not change unless the kernel
285  * chooses to break compatibility with all existing binaries.  Highly Unlikely.
286  */
287 struct linux_dirent64 {
288    unsigned long long d_ino;
289    long long d_off;
290    unsigned short d_reclen;     /* Length of this linux_dirent */
291    unsigned char  d_type;
292    char           d_name[256];  /* Filename (null-terminated) */
293 };
294 
295 /* Close all open file descriptors in the range from start_fd and higher
296  * Do not close any in the sorted py_fds_to_keep list.
297  *
298  * This version is async signal safe as it does not make any unsafe C library
299  * calls, malloc calls or handle any locks.  It is _unfortunate_ to be forced
300  * to resort to making a kernel system call directly but this is the ONLY api
301  * available that does no harm.  opendir/readdir/closedir perform memory
302  * allocation and locking so while they usually work they are not guaranteed
303  * to (especially if you have replaced your malloc implementation).  A version
304  * of this function that uses those can be found in the _maybe_unsafe variant.
305  *
306  * This is Linux specific because that is all I am ready to test it on.  It
307  * should be easy to add OS specific dirent or dirent64 structures and modify
308  * it with some cpp #define magic to work on other OSes as well if you want.
309  */
310 static void
_close_open_fds_safe(int start_fd,PyObject * py_fds_to_keep)311 _close_open_fds_safe(int start_fd, PyObject* py_fds_to_keep)
312 {
313     int fd_dir_fd;
314 
315     fd_dir_fd = _Py_open_noraise(FD_DIR, O_RDONLY);
316     if (fd_dir_fd == -1) {
317         /* No way to get a list of open fds. */
318         _close_fds_by_brute_force(start_fd, py_fds_to_keep);
319         return;
320     } else {
321         char buffer[sizeof(struct linux_dirent64)];
322         int bytes;
323         while ((bytes = syscall(SYS_getdents64, fd_dir_fd,
324                                 (struct linux_dirent64 *)buffer,
325                                 sizeof(buffer))) > 0) {
326             struct linux_dirent64 *entry;
327             int offset;
328 #ifdef _Py_MEMORY_SANITIZER
329             __msan_unpoison(buffer, bytes);
330 #endif
331             for (offset = 0; offset < bytes; offset += entry->d_reclen) {
332                 int fd;
333                 entry = (struct linux_dirent64 *)(buffer + offset);
334                 if ((fd = _pos_int_from_ascii(entry->d_name)) < 0)
335                     continue;  /* Not a number. */
336                 if (fd != fd_dir_fd && fd >= start_fd &&
337                     !_is_fd_in_sorted_fd_sequence(fd, py_fds_to_keep)) {
338                     close(fd);
339                 }
340             }
341         }
342         close(fd_dir_fd);
343     }
344 }
345 
346 #define _close_open_fds _close_open_fds_safe
347 
348 #else  /* NOT (defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)) */
349 
350 
351 /* Close all open file descriptors from start_fd and higher.
352  * Do not close any in the sorted py_fds_to_keep tuple.
353  *
354  * This function violates the strict use of async signal safe functions. :(
355  * It calls opendir(), readdir() and closedir().  Of these, the one most
356  * likely to ever cause a problem is opendir() as it performs an internal
357  * malloc().  Practically this should not be a problem.  The Java VM makes the
358  * same calls between fork and exec in its own UNIXProcess_md.c implementation.
359  *
360  * readdir_r() is not used because it provides no benefit.  It is typically
361  * implemented as readdir() followed by memcpy().  See also:
362  *   http://womble.decadent.org.uk/readdir_r-advisory.html
363  */
364 static void
_close_open_fds_maybe_unsafe(long start_fd,PyObject * py_fds_to_keep)365 _close_open_fds_maybe_unsafe(long start_fd, PyObject* py_fds_to_keep)
366 {
367     DIR *proc_fd_dir;
368 #ifndef HAVE_DIRFD
369     while (_is_fd_in_sorted_fd_sequence(start_fd, py_fds_to_keep)) {
370         ++start_fd;
371     }
372     /* Close our lowest fd before we call opendir so that it is likely to
373      * reuse that fd otherwise we might close opendir's file descriptor in
374      * our loop.  This trick assumes that fd's are allocated on a lowest
375      * available basis. */
376     close(start_fd);
377     ++start_fd;
378 #endif
379 
380 #if defined(__FreeBSD__)
381     if (!_is_fdescfs_mounted_on_dev_fd())
382         proc_fd_dir = NULL;
383     else
384 #endif
385         proc_fd_dir = opendir(FD_DIR);
386     if (!proc_fd_dir) {
387         /* No way to get a list of open fds. */
388         _close_fds_by_brute_force(start_fd, py_fds_to_keep);
389     } else {
390         struct dirent *dir_entry;
391 #ifdef HAVE_DIRFD
392         int fd_used_by_opendir = dirfd(proc_fd_dir);
393 #else
394         int fd_used_by_opendir = start_fd - 1;
395 #endif
396         errno = 0;
397         while ((dir_entry = readdir(proc_fd_dir))) {
398             int fd;
399             if ((fd = _pos_int_from_ascii(dir_entry->d_name)) < 0)
400                 continue;  /* Not a number. */
401             if (fd != fd_used_by_opendir && fd >= start_fd &&
402                 !_is_fd_in_sorted_fd_sequence(fd, py_fds_to_keep)) {
403                 close(fd);
404             }
405             errno = 0;
406         }
407         if (errno) {
408             /* readdir error, revert behavior. Highly Unlikely. */
409             _close_fds_by_brute_force(start_fd, py_fds_to_keep);
410         }
411         closedir(proc_fd_dir);
412     }
413 }
414 
415 #define _close_open_fds _close_open_fds_maybe_unsafe
416 
417 #endif  /* else NOT (defined(__linux__) && defined(HAVE_SYS_SYSCALL_H)) */
418 
419 
420 /*
421  * This function is code executed in the child process immediately after fork
422  * to set things up and call exec().
423  *
424  * All of the code in this function must only use async-signal-safe functions,
425  * listed at `man 7 signal` or
426  * http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html.
427  *
428  * This restriction is documented at
429  * http://www.opengroup.org/onlinepubs/009695399/functions/fork.html.
430  */
431 static void
child_exec(char * const exec_array[],char * const argv[],char * const envp[],const char * cwd,int p2cread,int p2cwrite,int c2pread,int c2pwrite,int errread,int errwrite,int errpipe_read,int errpipe_write,int close_fds,int restore_signals,int call_setsid,int call_setgid,gid_t gid,int call_setgroups,size_t groups_size,const gid_t * groups,int call_setuid,uid_t uid,int child_umask,PyObject * py_fds_to_keep,PyObject * preexec_fn,PyObject * preexec_fn_args_tuple)432 child_exec(char *const exec_array[],
433            char *const argv[],
434            char *const envp[],
435            const char *cwd,
436            int p2cread, int p2cwrite,
437            int c2pread, int c2pwrite,
438            int errread, int errwrite,
439            int errpipe_read, int errpipe_write,
440            int close_fds, int restore_signals,
441            int call_setsid,
442            int call_setgid, gid_t gid,
443            int call_setgroups, size_t groups_size, const gid_t *groups,
444            int call_setuid, uid_t uid, int child_umask,
445            PyObject *py_fds_to_keep,
446            PyObject *preexec_fn,
447            PyObject *preexec_fn_args_tuple)
448 {
449     int i, saved_errno, reached_preexec = 0;
450     PyObject *result;
451     const char* err_msg = "";
452     /* Buffer large enough to hold a hex integer.  We can't malloc. */
453     char hex_errno[sizeof(saved_errno)*2+1];
454 
455     if (make_inheritable(py_fds_to_keep, errpipe_write) < 0)
456         goto error;
457 
458     /* Close parent's pipe ends. */
459     if (p2cwrite != -1)
460         POSIX_CALL(close(p2cwrite));
461     if (c2pread != -1)
462         POSIX_CALL(close(c2pread));
463     if (errread != -1)
464         POSIX_CALL(close(errread));
465     POSIX_CALL(close(errpipe_read));
466 
467     /* When duping fds, if there arises a situation where one of the fds is
468        either 0, 1 or 2, it is possible that it is overwritten (#12607). */
469     if (c2pwrite == 0) {
470         POSIX_CALL(c2pwrite = dup(c2pwrite));
471         /* issue32270 */
472         if (_Py_set_inheritable_async_safe(c2pwrite, 0, NULL) < 0) {
473             goto error;
474         }
475     }
476     while (errwrite == 0 || errwrite == 1) {
477         POSIX_CALL(errwrite = dup(errwrite));
478         /* issue32270 */
479         if (_Py_set_inheritable_async_safe(errwrite, 0, NULL) < 0) {
480             goto error;
481         }
482     }
483 
484     /* Dup fds for child.
485        dup2() removes the CLOEXEC flag but we must do it ourselves if dup2()
486        would be a no-op (issue #10806). */
487     if (p2cread == 0) {
488         if (_Py_set_inheritable_async_safe(p2cread, 1, NULL) < 0)
489             goto error;
490     }
491     else if (p2cread != -1)
492         POSIX_CALL(dup2(p2cread, 0));  /* stdin */
493 
494     if (c2pwrite == 1) {
495         if (_Py_set_inheritable_async_safe(c2pwrite, 1, NULL) < 0)
496             goto error;
497     }
498     else if (c2pwrite != -1)
499         POSIX_CALL(dup2(c2pwrite, 1));  /* stdout */
500 
501     if (errwrite == 2) {
502         if (_Py_set_inheritable_async_safe(errwrite, 1, NULL) < 0)
503             goto error;
504     }
505     else if (errwrite != -1)
506         POSIX_CALL(dup2(errwrite, 2));  /* stderr */
507 
508     /* We no longer manually close p2cread, c2pwrite, and errwrite here as
509      * _close_open_fds takes care when it is not already non-inheritable. */
510 
511     if (cwd)
512         POSIX_CALL(chdir(cwd));
513 
514     if (child_umask >= 0)
515         umask(child_umask);  /* umask() always succeeds. */
516 
517     if (restore_signals)
518         _Py_RestoreSignals();
519 
520 #ifdef HAVE_SETSID
521     if (call_setsid)
522         POSIX_CALL(setsid());
523 #endif
524 
525 #ifdef HAVE_SETGROUPS
526     if (call_setgroups)
527         POSIX_CALL(setgroups(groups_size, groups));
528 #endif /* HAVE_SETGROUPS */
529 
530 #ifdef HAVE_SETREGID
531     if (call_setgid)
532         POSIX_CALL(setregid(gid, gid));
533 #endif /* HAVE_SETREGID */
534 
535 #ifdef HAVE_SETREUID
536     if (call_setuid)
537         POSIX_CALL(setreuid(uid, uid));
538 #endif /* HAVE_SETREUID */
539 
540 
541     reached_preexec = 1;
542     if (preexec_fn != Py_None && preexec_fn_args_tuple) {
543         /* This is where the user has asked us to deadlock their program. */
544         result = PyObject_Call(preexec_fn, preexec_fn_args_tuple, NULL);
545         if (result == NULL) {
546             /* Stringifying the exception or traceback would involve
547              * memory allocation and thus potential for deadlock.
548              * We've already faced potential deadlock by calling back
549              * into Python in the first place, so it probably doesn't
550              * matter but we avoid it to minimize the possibility. */
551             err_msg = "Exception occurred in preexec_fn.";
552             errno = 0;  /* We don't want to report an OSError. */
553             goto error;
554         }
555         /* Py_DECREF(result); - We're about to exec so why bother? */
556     }
557 
558     /* close FDs after executing preexec_fn, which might open FDs */
559     if (close_fds) {
560         /* TODO HP-UX could use pstat_getproc() if anyone cares about it. */
561         _close_open_fds(3, py_fds_to_keep);
562     }
563 
564     /* This loop matches the Lib/os.py _execvpe()'s PATH search when */
565     /* given the executable_list generated by Lib/subprocess.py.     */
566     saved_errno = 0;
567     for (i = 0; exec_array[i] != NULL; ++i) {
568         const char *executable = exec_array[i];
569         if (envp) {
570             execve(executable, argv, envp);
571         } else {
572             execv(executable, argv);
573         }
574         if (errno != ENOENT && errno != ENOTDIR && saved_errno == 0) {
575             saved_errno = errno;
576         }
577     }
578     /* Report the first exec error, not the last. */
579     if (saved_errno)
580         errno = saved_errno;
581 
582 error:
583     saved_errno = errno;
584     /* Report the posix error to our parent process. */
585     /* We ignore all write() return values as the total size of our writes is
586        less than PIPEBUF and we cannot do anything about an error anyways.
587        Use _Py_write_noraise() to retry write() if it is interrupted by a
588        signal (fails with EINTR). */
589     if (saved_errno) {
590         char *cur;
591         _Py_write_noraise(errpipe_write, "OSError:", 8);
592         cur = hex_errno + sizeof(hex_errno);
593         while (saved_errno != 0 && cur != hex_errno) {
594             *--cur = Py_hexdigits[saved_errno % 16];
595             saved_errno /= 16;
596         }
597         _Py_write_noraise(errpipe_write, cur, hex_errno + sizeof(hex_errno) - cur);
598         _Py_write_noraise(errpipe_write, ":", 1);
599         if (!reached_preexec) {
600             /* Indicate to the parent that the error happened before exec(). */
601             _Py_write_noraise(errpipe_write, "noexec", 6);
602         }
603         /* We can't call strerror(saved_errno).  It is not async signal safe.
604          * The parent process will look the error message up. */
605     } else {
606         _Py_write_noraise(errpipe_write, "SubprocessError:0:", 18);
607         _Py_write_noraise(errpipe_write, err_msg, strlen(err_msg));
608     }
609 }
610 
611 
612 static PyObject *
subprocess_fork_exec(PyObject * self,PyObject * args)613 subprocess_fork_exec(PyObject* self, PyObject *args)
614 {
615     PyObject *gc_module = NULL;
616     PyObject *executable_list, *py_fds_to_keep;
617     PyObject *env_list, *preexec_fn;
618     PyObject *process_args, *converted_args = NULL, *fast_args = NULL;
619     PyObject *preexec_fn_args_tuple = NULL;
620     PyObject *groups_list;
621     PyObject *uid_object, *gid_object;
622     int p2cread, p2cwrite, c2pread, c2pwrite, errread, errwrite;
623     int errpipe_read, errpipe_write, close_fds, restore_signals;
624     int call_setsid;
625     int call_setgid = 0, call_setgroups = 0, call_setuid = 0;
626     uid_t uid;
627     gid_t gid, *groups = NULL;
628     int child_umask;
629     PyObject *cwd_obj, *cwd_obj2 = NULL;
630     const char *cwd;
631     pid_t pid;
632     int need_to_reenable_gc = 0;
633     char *const *exec_array, *const *argv = NULL, *const *envp = NULL;
634     Py_ssize_t arg_num, num_groups = 0;
635     int need_after_fork = 0;
636     int saved_errno = 0;
637 
638     if (!PyArg_ParseTuple(
639             args, "OOpO!OOiiiiiiiiiiOOOiO:fork_exec",
640             &process_args, &executable_list,
641             &close_fds, &PyTuple_Type, &py_fds_to_keep,
642             &cwd_obj, &env_list,
643             &p2cread, &p2cwrite, &c2pread, &c2pwrite,
644             &errread, &errwrite, &errpipe_read, &errpipe_write,
645             &restore_signals, &call_setsid,
646             &gid_object, &groups_list, &uid_object, &child_umask,
647             &preexec_fn))
648         return NULL;
649 
650     if ((preexec_fn != Py_None) &&
651             (PyInterpreterState_Get() != PyInterpreterState_Main())) {
652         PyErr_SetString(PyExc_RuntimeError,
653                         "preexec_fn not supported within subinterpreters");
654         return NULL;
655     }
656 
657     if (close_fds && errpipe_write < 3) {  /* precondition */
658         PyErr_SetString(PyExc_ValueError, "errpipe_write must be >= 3");
659         return NULL;
660     }
661     if (_sanity_check_python_fd_sequence(py_fds_to_keep)) {
662         PyErr_SetString(PyExc_ValueError, "bad value(s) in fds_to_keep");
663         return NULL;
664     }
665 
666     PyInterpreterState *interp = PyInterpreterState_Get();
667     const PyConfig *config = _PyInterpreterState_GetConfig(interp);
668     if (config->_isolated_interpreter) {
669         PyErr_SetString(PyExc_RuntimeError,
670                         "subprocess not supported for isolated subinterpreters");
671         return NULL;
672     }
673 
674     /* We need to call gc.disable() when we'll be calling preexec_fn */
675     if (preexec_fn != Py_None) {
676         PyObject *result;
677 
678         gc_module = PyImport_ImportModule("gc");
679         if (gc_module == NULL)
680             return NULL;
681         result = PyObject_CallMethodNoArgs(
682             gc_module, _posixsubprocessstate_global->isenabled);
683         if (result == NULL) {
684             Py_DECREF(gc_module);
685             return NULL;
686         }
687         need_to_reenable_gc = PyObject_IsTrue(result);
688         Py_DECREF(result);
689         if (need_to_reenable_gc == -1) {
690             Py_DECREF(gc_module);
691             return NULL;
692         }
693         result = PyObject_CallMethodNoArgs(
694             gc_module, _posixsubprocessstate_global->disable);
695         if (result == NULL) {
696             Py_DECREF(gc_module);
697             return NULL;
698         }
699         Py_DECREF(result);
700     }
701 
702     exec_array = _PySequence_BytesToCharpArray(executable_list);
703     if (!exec_array)
704         goto cleanup;
705 
706     /* Convert args and env into appropriate arguments for exec() */
707     /* These conversions are done in the parent process to avoid allocating
708        or freeing memory in the child process. */
709     if (process_args != Py_None) {
710         Py_ssize_t num_args;
711         /* Equivalent to:  */
712         /*  tuple(PyUnicode_FSConverter(arg) for arg in process_args)  */
713         fast_args = PySequence_Fast(process_args, "argv must be a tuple");
714         if (fast_args == NULL)
715             goto cleanup;
716         num_args = PySequence_Fast_GET_SIZE(fast_args);
717         converted_args = PyTuple_New(num_args);
718         if (converted_args == NULL)
719             goto cleanup;
720         for (arg_num = 0; arg_num < num_args; ++arg_num) {
721             PyObject *borrowed_arg, *converted_arg;
722             if (PySequence_Fast_GET_SIZE(fast_args) != num_args) {
723                 PyErr_SetString(PyExc_RuntimeError, "args changed during iteration");
724                 goto cleanup;
725             }
726             borrowed_arg = PySequence_Fast_GET_ITEM(fast_args, arg_num);
727             if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0)
728                 goto cleanup;
729             PyTuple_SET_ITEM(converted_args, arg_num, converted_arg);
730         }
731 
732         argv = _PySequence_BytesToCharpArray(converted_args);
733         Py_CLEAR(converted_args);
734         Py_CLEAR(fast_args);
735         if (!argv)
736             goto cleanup;
737     }
738 
739     if (env_list != Py_None) {
740         envp = _PySequence_BytesToCharpArray(env_list);
741         if (!envp)
742             goto cleanup;
743     }
744 
745     if (cwd_obj != Py_None) {
746         if (PyUnicode_FSConverter(cwd_obj, &cwd_obj2) == 0)
747             goto cleanup;
748         cwd = PyBytes_AsString(cwd_obj2);
749     } else {
750         cwd = NULL;
751     }
752 
753     if (groups_list != Py_None) {
754 #ifdef HAVE_SETGROUPS
755         Py_ssize_t i;
756         unsigned long gid;
757 
758         if (!PyList_Check(groups_list)) {
759             PyErr_SetString(PyExc_TypeError,
760                     "setgroups argument must be a list");
761             goto cleanup;
762         }
763         num_groups = PySequence_Size(groups_list);
764 
765         if (num_groups < 0)
766             goto cleanup;
767 
768         if (num_groups > MAX_GROUPS) {
769             PyErr_SetString(PyExc_ValueError, "too many groups");
770             goto cleanup;
771         }
772 
773         if ((groups = PyMem_RawMalloc(num_groups * sizeof(gid_t))) == NULL) {
774             PyErr_SetString(PyExc_MemoryError,
775                     "failed to allocate memory for group list");
776             goto cleanup;
777         }
778 
779         for (i = 0; i < num_groups; i++) {
780             PyObject *elem;
781             elem = PySequence_GetItem(groups_list, i);
782             if (!elem)
783                 goto cleanup;
784             if (!PyLong_Check(elem)) {
785                 PyErr_SetString(PyExc_TypeError,
786                                 "groups must be integers");
787                 Py_DECREF(elem);
788                 goto cleanup;
789             } else {
790                 /* In posixmodule.c UnsignedLong is used as a fallback value
791                 * if the value provided does not fit in a Long. Since we are
792                 * already doing the bounds checking on the Python side, we
793                 * can go directly to an UnsignedLong here. */
794                 if (!_Py_Gid_Converter(elem, &gid)) {
795                     Py_DECREF(elem);
796                     PyErr_SetString(PyExc_ValueError, "invalid group id");
797                     goto cleanup;
798                 }
799                 groups[i] = gid;
800             }
801             Py_DECREF(elem);
802         }
803         call_setgroups = 1;
804 
805 #else /* HAVE_SETGROUPS */
806         PyErr_BadInternalCall();
807         goto cleanup;
808 #endif /* HAVE_SETGROUPS */
809     }
810 
811     if (gid_object != Py_None) {
812 #ifdef HAVE_SETREGID
813         if (!_Py_Gid_Converter(gid_object, &gid))
814             goto cleanup;
815 
816         call_setgid = 1;
817 
818 #else /* HAVE_SETREGID */
819         PyErr_BadInternalCall();
820         goto cleanup;
821 #endif /* HAVE_SETREUID */
822     }
823 
824     if (uid_object != Py_None) {
825 #ifdef HAVE_SETREUID
826         if (!_Py_Uid_Converter(uid_object, &uid))
827             goto cleanup;
828 
829         call_setuid = 1;
830 
831 #else /* HAVE_SETREUID */
832         PyErr_BadInternalCall();
833         goto cleanup;
834 #endif /* HAVE_SETREUID */
835     }
836 
837     /* This must be the last thing done before fork() because we do not
838      * want to call PyOS_BeforeFork() if there is any chance of another
839      * error leading to the cleanup: code without calling fork(). */
840     if (preexec_fn != Py_None) {
841         preexec_fn_args_tuple = PyTuple_New(0);
842         if (!preexec_fn_args_tuple)
843             goto cleanup;
844         PyOS_BeforeFork();
845         need_after_fork = 1;
846     }
847 
848     pid = fork();
849     if (pid == 0) {
850         /* Child process */
851         /*
852          * Code from here to _exit() must only use async-signal-safe functions,
853          * listed at `man 7 signal` or
854          * http://www.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html.
855          */
856 
857         if (preexec_fn != Py_None) {
858             /* We'll be calling back into Python later so we need to do this.
859              * This call may not be async-signal-safe but neither is calling
860              * back into Python.  The user asked us to use hope as a strategy
861              * to avoid deadlock... */
862             PyOS_AfterFork_Child();
863         }
864 
865         child_exec(exec_array, argv, envp, cwd,
866                    p2cread, p2cwrite, c2pread, c2pwrite,
867                    errread, errwrite, errpipe_read, errpipe_write,
868                    close_fds, restore_signals, call_setsid,
869                    call_setgid, gid, call_setgroups, num_groups, groups,
870                    call_setuid, uid, child_umask,
871                    py_fds_to_keep, preexec_fn, preexec_fn_args_tuple);
872         _exit(255);
873         return NULL;  /* Dead code to avoid a potential compiler warning. */
874     }
875     /* Parent (original) process */
876     if (pid == -1) {
877         /* Capture errno for the exception. */
878         saved_errno = errno;
879     }
880 
881     Py_XDECREF(cwd_obj2);
882 
883     if (need_after_fork)
884         PyOS_AfterFork_Parent();
885     if (envp)
886         _Py_FreeCharPArray(envp);
887     if (argv)
888         _Py_FreeCharPArray(argv);
889     _Py_FreeCharPArray(exec_array);
890 
891     /* Reenable gc in the parent process (or if fork failed). */
892     if (_enable_gc(need_to_reenable_gc, gc_module)) {
893         pid = -1;
894     }
895     PyMem_RawFree(groups);
896     Py_XDECREF(preexec_fn_args_tuple);
897     Py_XDECREF(gc_module);
898 
899     if (pid == -1) {
900         errno = saved_errno;
901         /* We can't call this above as PyOS_AfterFork_Parent() calls back
902          * into Python code which would see the unreturned error. */
903         PyErr_SetFromErrno(PyExc_OSError);
904         return NULL;  /* fork() failed. */
905     }
906 
907     return PyLong_FromPid(pid);
908 
909 cleanup:
910     Py_XDECREF(cwd_obj2);
911     if (envp)
912         _Py_FreeCharPArray(envp);
913     if (argv)
914         _Py_FreeCharPArray(argv);
915     if (exec_array)
916         _Py_FreeCharPArray(exec_array);
917 
918     PyMem_RawFree(groups);
919     Py_XDECREF(converted_args);
920     Py_XDECREF(fast_args);
921     Py_XDECREF(preexec_fn_args_tuple);
922     _enable_gc(need_to_reenable_gc, gc_module);
923     Py_XDECREF(gc_module);
924     return NULL;
925 }
926 
927 
928 PyDoc_STRVAR(subprocess_fork_exec_doc,
929 "fork_exec(args, executable_list, close_fds, pass_fds, cwd, env,\n\
930           p2cread, p2cwrite, c2pread, c2pwrite,\n\
931           errread, errwrite, errpipe_read, errpipe_write,\n\
932           restore_signals, call_setsid,\n\
933           gid, groups_list, uid,\n\
934           preexec_fn)\n\
935 \n\
936 Forks a child process, closes parent file descriptors as appropriate in the\n\
937 child and dups the few that are needed before calling exec() in the child\n\
938 process.\n\
939 \n\
940 If close_fds is true, close file descriptors 3 and higher, except those listed\n\
941 in the sorted tuple pass_fds.\n\
942 \n\
943 The preexec_fn, if supplied, will be called immediately before closing file\n\
944 descriptors and exec.\n\
945 WARNING: preexec_fn is NOT SAFE if your application uses threads.\n\
946          It may trigger infrequent, difficult to debug deadlocks.\n\
947 \n\
948 If an error occurs in the child process before the exec, it is\n\
949 serialized and written to the errpipe_write fd per subprocess.py.\n\
950 \n\
951 Returns: the child process's PID.\n\
952 \n\
953 Raises: Only on an error in the parent process.\n\
954 ");
955 
956 /* module level code ********************************************************/
957 
958 PyDoc_STRVAR(module_doc,
959 "A POSIX helper for the subprocess module.");
960 
961 
962 static PyMethodDef module_methods[] = {
963     {"fork_exec", subprocess_fork_exec, METH_VARARGS, subprocess_fork_exec_doc},
964     {NULL, NULL}  /* sentinel */
965 };
966 
967 
_posixsubprocess_traverse(PyObject * m,visitproc visit,void * arg)968 static int _posixsubprocess_traverse(PyObject *m, visitproc visit, void *arg) {
969     Py_VISIT(get_posixsubprocess_state(m)->disable);
970     Py_VISIT(get_posixsubprocess_state(m)->enable);
971     Py_VISIT(get_posixsubprocess_state(m)->isenabled);
972     return 0;
973 }
974 
_posixsubprocess_clear(PyObject * m)975 static int _posixsubprocess_clear(PyObject *m) {
976     Py_CLEAR(get_posixsubprocess_state(m)->disable);
977     Py_CLEAR(get_posixsubprocess_state(m)->enable);
978     Py_CLEAR(get_posixsubprocess_state(m)->isenabled);
979     return 0;
980 }
981 
_posixsubprocess_free(void * m)982 static void _posixsubprocess_free(void *m) {
983     _posixsubprocess_clear((PyObject *)m);
984 }
985 
986 static struct PyModuleDef _posixsubprocessmodule = {
987         PyModuleDef_HEAD_INIT,
988         "_posixsubprocess",
989         module_doc,
990         sizeof(_posixsubprocessstate),
991         module_methods,
992         NULL,
993         _posixsubprocess_traverse,
994         _posixsubprocess_clear,
995         _posixsubprocess_free,
996 };
997 
998 PyMODINIT_FUNC
PyInit__posixsubprocess(void)999 PyInit__posixsubprocess(void)
1000 {
1001     PyObject* m;
1002 
1003     m = PyState_FindModule(&_posixsubprocessmodule);
1004     if (m != NULL) {
1005       Py_INCREF(m);
1006       return m;
1007     }
1008 
1009     m = PyModule_Create(&_posixsubprocessmodule);
1010     if (m == NULL) {
1011       return NULL;
1012     }
1013 
1014     get_posixsubprocess_state(m)->disable = PyUnicode_InternFromString("disable");
1015     get_posixsubprocess_state(m)->enable = PyUnicode_InternFromString("enable");
1016     get_posixsubprocess_state(m)->isenabled = PyUnicode_InternFromString("isenabled");
1017 
1018     PyState_AddModule(m, &_posixsubprocessmodule);
1019     return m;
1020 }
1021