misc/140493: truss log file descriptor shared with traced program

Erik Lax erik at datahack.se
Wed Nov 11 22:10:04 UTC 2009 

>Number:         140493
>Category:       misc
>Synopsis:       truss log file descriptor shared with traced program
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 11 22:10:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Erik Lax
>Release:        FreeBSD 7.2-RELEASE
>Organization:
>Environment:
FreeBSD freebsd.datahack.se 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May  1 08:49:13 UTC 2009     root at walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
The truss -o log file descriptor is shared with the traced program when truss starts the program with vfork/execvp, for no obvious reason(?).

So it may play with your head when you are trying to debug a program if you are not aware of this!

As a security/technical problem this may affects badly written programs that  expects a certain file descriptor to be opened at some target, causing the log file to be modified (by accident or evil...ftruncate).
>How-To-Repeat:
In one terminal

# truss -o /tmp/truss.log sleep 60

followed by .. in another terminal

# fstat | grep sleep
root     sleep      37193 root /             2 drwxr-xr-x     512  r
root     sleep      37193   wd /         45516 drwxr-xr-x     512  r
root     sleep      37193 text /         46256 -r-xr-xr-x    5964  r
root     sleep      37193    0 /dev        100 crw--w----   ttyp2 rw
root     sleep      37193    1 /dev        100 crw--w----   ttyp2 rw
root     sleep      37193    2 /dev        100 crw--w----   ttyp2 rw
root     sleep      37193    3 /tmp          4 -rw-r--r--    2278  w

File descriptor 3 is pointing at the log file provided by -o
>Fix:
Close the file descriptor trussinfo->outfile after the vfork().

Suggested changes would be to either make setup_and_wait(char *command[]) (setup.c) also take the file descriptor that should be closed as an argument or close all file descriptors from fd#3 and above after the vfork().

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list