From c1cf5148a1c6302d27661ff0af772de1e7dbb2b6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?P=C3=A1draig=20Brady?= Date: Mon, 11 Mar 2024 13:18:37 +0000 Subject: [PATCH] timeout: fix race where we might kill arbitrary processes * src/timeout.c (cleanup): Handle the case where monitored_pid might be -1, which could happen if a signal was received immediately after a failed fork() call. In that case it would send the termination signal to all processes that the timeout process has permission to send signals too. * NEWS: Mention the bug fix. --- NEWS | 4 ++++ src/timeout.c | 11 ++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 70c4e2f44b..864d7fe8b6 100644 --- a/NEWS +++ b/NEWS @@ -33,6 +33,10 @@ GNU coreutils NEWS -*- outline -*- on systems with a page size larger than the stdio BUFSIZ. [This bug was present in "the beginning".] + timeout avoids a narrow race condition, where it might kill arbitrary + processes after a failed process fork. + [bug introduced with timeout in coreutils-7.0] + wc no longer fails to count unprintable characters as parts of words. [bug introduced in textutils-2.1] diff --git a/src/timeout.c b/src/timeout.c index 85d97c0b50..9aa46a4f5a 100644 --- a/src/timeout.c +++ b/src/timeout.c @@ -207,7 +207,7 @@ cleanup (int sig) timed_out = 1; sig = term_signal; } - if (monitored_pid) + if (0 < monitored_pid) { if (kill_after) { @@ -244,8 +244,13 @@ cleanup (int sig) } } } - else /* we're the child or the child is not exec'd yet. */ - _exit (128 + sig); + else if (monitored_pid == -1) + { /* were in the parent, so let it continue to exit below. */ + } + else /* monitored_pid == 0 */ + { /* we're the child or the child is not exec'd yet. */ + _exit (128 + sig); + } } void -- 2.47.2