timeout: fix race where we might kill arbitrary processes

* src/timeout.c (cleanup): Handle the case where monitored_pid
might be -1, which could happen if a signal was received
immediately after a failed fork() call.  In that case it would
send the termination signal to all processes that the timeout
process has permission to send signals too.
* NEWS: Mention the bug fix.

diff --git a/NEWS b/NEWS
index 70c4e2f44bfac9be5a147c260d60fe5c104c5772..864d7fe8b6ef3ccb394dc7c611ad27c06c724cea 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -33,6 +33,10 @@ GNU coreutils NEWS                                    -*- outline -*-
   on systems with a page size larger than the stdio BUFSIZ.
   [This bug was present in "the beginning".]
 
+  timeout avoids a narrow race condition, where it might kill arbitrary
+  processes after a failed process fork.
+  [bug introduced with timeout in coreutils-7.0]
+
   wc no longer fails to count unprintable characters as parts of words.
   [bug introduced in textutils-2.1]
 

diff --git a/src/timeout.c b/src/timeout.c
index 85d97c0b50d23186510cb3355a082af57f419c2f..9aa46a4f5a947a8257882116b7a730fca2e25334 100644 (file)
--- a/src/timeout.c
+++ b/src/timeout.c
@@ -207,7 +207,7 @@ cleanup (int sig)
       timed_out = 1;
       sig = term_signal;
     }
-  if (monitored_pid)
+  if (0 < monitored_pid)
     {
       if (kill_after)
         {
@@ -244,8 +244,13 @@ cleanup (int sig)
             }
         }
     }
-  else /* we're the child or the child is not exec'd yet.  */
-    _exit (128 + sig);
+  else if (monitored_pid == -1)
+    { /* were in the parent, so let it continue to exit below.  */
+    }
+  else /* monitored_pid == 0  */
+    { /* we're the child or the child is not exec'd yet.  */
+      _exit (128 + sig);
+    }
 }
 
 void