dbus-daemon, dbus-launch: cope with callers having closed standard fds

In Debian bug <https://bugs.debian.org/829348>, lightdm appears to have been starting dbus-launch with at least one of the three standard fds 0, 1, 2 (stdin, stdout, stderr) closed. This resulted in the dbus-daemon's epoll_create1() returning a fd less than 3. Later, _dbus_become_daemon() replaces fds 0-2 with /dev/null. As a result, a subsequent call to _dbus_loop_add_watch() for the reload pipe resulted in calling epoll_ctl on the non-epoll fd pointing to /dev/null, which fails with EINVAL, resulting in the dbus-daemon exiting unsuccessfully. Unix programs are not normally expected to behave correctly when launched with the standard fds not already open; but at the same time, X11 autolaunching means that dbus-launch (and hence the dbus-daemon) can get started from an arbitrarily precarious situation. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97008 Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Thiago Macieira <thiago@kde.org>
2025-12-25 18:40:08 +01:00 · 2016-07-21 08:24:38 +01:00 · 2016-07-21 08:24:38 +01:00 · c8f73a2a3a
commit c8f73a2a3a
parent 69123a6bd2
2 changed files with 42 additions and 2 deletions
--- a/bus/main.c
+++ b/bus/main.c
@ -42,6 +42,10 @@
 #include "apparmor.h"
 #include "audit.h"

+#ifdef DBUS_UNIX
+#include <dbus/dbus-sysdeps-unix.h>
+#endif
+
 static BusContext *context;

 #ifdef DBUS_UNIX
@ -378,6 +382,27 @@ main (int argc, char **argv)
  dbus_bool_t print_address;
  dbus_bool_t print_pid;
  BusContextFlags flags;
+#ifdef DBUS_UNIX
+  const char *error_str;
+
+  /* Redirect stdin from /dev/null since we will never need it, and
+   * redirect stdout and stderr to /dev/null if not already open.
+   *
+   * We should do this as the very first thing, to ensure that when we
+   * create other file descriptors (for example for epoll, inotify or
+   * a socket), they never get assigned as fd 0, 1 or 2. If they were,
+   * which could happen if our caller had (incorrectly) closed those
+   * standard fds, they'd get closed when we daemonize - for example,
+   * closing our listening socket would stop us listening, and closing
+   * a Linux epoll socket would cause the main loop to fail. */
+  if (!_dbus_ensure_standard_fds (DBUS_FORCE_STDIN_NULL, &error_str))
+    {
+      fprintf (stderr,
+               "dbus-daemon: fatal error setting up standard fds: %s: %s\n",
+               error_str, _dbus_strerror (errno));
+      return 1;
+    }
+#endif

  if (!_dbus_string_init (&config_file))
    return 1;
--- a/tools/dbus-launch.c
+++ b/tools/dbus-launch.c
@ -843,10 +843,25 @@ main (int argc, char **argv)
  char *config_file;
  dbus_bool_t user_bus_supported = FALSE;
  DBusString user_bus;
-  
+  const char *error_str;
+
  exit_with_session = FALSE;
  config_file = NULL;
-  
+
+  /* Ensure that the first three fds are open, to ensure that when we
+   * create other file descriptors (for example for epoll, inotify or
+   * a socket), they never get assigned as fd 0, 1 or 2. If they were,
+   * which could happen if our caller had (incorrectly) closed those
+   * standard fds, then we'd start dbus-daemon with those fds closed,
+   * which is unexpected and could cause it to misbehave. */
+  if (!_dbus_ensure_standard_fds (0, &error_str))
+    {
+      fprintf (stderr,
+               "dbus-launch: fatal error setting up standard fds: %s: %s\n",
+               error_str, _dbus_strerror (errno));
+      return 1;
+    }
+
  prev_arg = NULL;
  i = 1;
  while (i < argc)