unix-socket: disallow chdir() when creating unix domain sockets

Calls to `chdir()` are dangerous in a multi-threaded context.  If
`unix_stream_listen()` or `unix_stream_connect()` is given a socket
pathname that is too long to fit in a `sockaddr_un` structure, it will
`chdir()` to the parent directory of the requested socket pathname,
create the socket using a relative pathname, and then `chdir()` back.
This is not thread-safe.

Teach `unix_sockaddr_init()` to not allow calls to `chdir()` when this
flag is set.

Signed-off-by: Jeff Hostetler <jeffhost@microsoft.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/builtin/credential-cache.c b/builtin/credential-cache.c
index 9b3f709905979ef213e76069b573390f4eda7333..76a6ba37223fa94347192bdd7762da29cf6de920 100644 (file)
--- a/builtin/credential-cache.c
+++ b/builtin/credential-cache.c
@@ -14,7 +14,7 @@
 static int send_request(const char *socket, const struct strbuf *out)
 {
        int got_data = 0;
-       int fd = unix_stream_connect(socket);
+       int fd = unix_stream_connect(socket, 0);
 
        if (fd < 0)
                return -1;

diff --git a/unix-socket.c b/unix-socket.c
index 012becd93d577d3e1a74beb39857a8a5cff0f0a6..e0be1badb58dee8af8e28c4a4486bf0fdba18a9c 100644 (file)
--- a/unix-socket.c
+++ b/unix-socket.c
@@ -30,16 +30,23 @@ static void unix_sockaddr_cleanup(struct unix_sockaddr_context *ctx)
 }
 
 static int unix_sockaddr_init(struct sockaddr_un *sa, const char *path,
-                             struct unix_sockaddr_context *ctx)
+                             struct unix_sockaddr_context *ctx,
+                             int disallow_chdir)
 {
        int size = strlen(path) + 1;
 
        ctx->orig_dir = NULL;
        if (size > sizeof(sa->sun_path)) {
-               const char *slash = find_last_dir_sep(path);
+               const char *slash;
                const char *dir;
                struct strbuf cwd = STRBUF_INIT;
 
+               if (disallow_chdir) {
+                       errno = ENAMETOOLONG;
+                       return -1;
+               }
+
+               slash = find_last_dir_sep(path);
                if (!slash) {
                        errno = ENAMETOOLONG;
                        return -1;
@@ -65,13 +72,13 @@ static int unix_sockaddr_init(struct sockaddr_un *sa, const char *path,
        return 0;
 }
 
-int unix_stream_connect(const char *path)
+int unix_stream_connect(const char *path, int disallow_chdir)
 {
        int fd = -1, saved_errno;
        struct sockaddr_un sa;
        struct unix_sockaddr_context ctx;
 
-       if (unix_sockaddr_init(&sa, path, &ctx) < 0)
+       if (unix_sockaddr_init(&sa, path, &ctx, disallow_chdir) < 0)
                return -1;
        fd = socket(AF_UNIX, SOCK_STREAM, 0);
        if (fd < 0)
@@ -101,7 +108,7 @@ int unix_stream_listen(const char *path,
 
        unlink(path);
 
-       if (unix_sockaddr_init(&sa, path, &ctx) < 0)
+       if (unix_sockaddr_init(&sa, path, &ctx, opts->disallow_chdir) < 0)
                return -1;
        fd = socket(AF_UNIX, SOCK_STREAM, 0);
        if (fd < 0)

diff --git a/unix-socket.h b/unix-socket.h
index ec2fb3ea726714934d430c944c8af5b00f8ac061..8542cdd7995d7942a18bfa8b0ccb91e761dfd5a8 100644 (file)
--- a/unix-socket.h
+++ b/unix-socket.h
@@ -3,11 +3,12 @@
 
 struct unix_stream_listen_opts {
        int listen_backlog_size;
+       unsigned int disallow_chdir:1;
 };
 
 #define UNIX_STREAM_LISTEN_OPTS_INIT { 0 }
 
-int unix_stream_connect(const char *path);
+int unix_stream_connect(const char *path, int disallow_chdir);
 int unix_stream_listen(const char *path,
                       const struct unix_stream_listen_opts *opts);