1 /* 2 * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 #include <dirent.h> 27 #include <errno.h> 28 #include <fcntl.h> 29 #include <stdlib.h> 30 #include <string.h> 31 #include <unistd.h> 32 #include <limits.h> 33 34 #include "childproc.h" 35 36 37 ssize_t 38 restartableWrite(int fd, const void *buf, size_t count) 39 { 40 ssize_t result; 41 RESTARTABLE(write(fd, buf, count), result); 42 return result; 43 } 44 45 int 46 restartableDup2(int fd_from, int fd_to) 47 { 48 int err; 49 RESTARTABLE(dup2(fd_from, fd_to), err); 50 return err; 51 } 52 53 int 54 closeSafely(int fd) 55 { 56 return (fd == -1) ? 0 : close(fd); 57 } 58 59 int 60 isAsciiDigit(char c) 61 { 62 return c >= '0' && c <= '9'; 63 } 64 65 #if defined(_AIX) 66 /* AIX does not understand '/proc/self' - it requires the real process ID */ 67 #define FD_DIR aix_fd_dir 68 #define DIR DIR64 69 #define opendir opendir64 70 #define closedir closedir64 71 #elif defined(_ALLBSD_SOURCE) 72 #define FD_DIR "/dev/fd" 73 #define dirent64 dirent 74 #define readdir64 readdir 75 #else 76 #define FD_DIR "/proc/self/fd" 77 #endif 78 79 int 80 closeDescriptors(void) 81 { 82 DIR *dp; 83 struct dirent64 *dirp; 84 int from_fd = FAIL_FILENO + 1; 85 86 /* We're trying to close all file descriptors, but opendir() might 87 * itself be implemented using a file descriptor, and we certainly 88 * don't want to close that while it's in use. We assume that if 89 * opendir() is implemented using a file descriptor, then it uses 90 * the lowest numbered file descriptor, just like open(). So we 91 * close a couple explicitly. */ 92 93 close(from_fd); /* for possible use by opendir() */ 94 close(from_fd + 1); /* another one for good luck */ 95 96 #if defined(_AIX) 97 /* AIX does not understand '/proc/self' - it requires the real process ID */ 98 char aix_fd_dir[32]; /* the pid has at most 19 digits */ 99 snprintf(aix_fd_dir, 32, "/proc/%d/fd", getpid()); 100 #endif 101 102 if ((dp = opendir(FD_DIR)) == NULL) 103 return 0; 104 105 /* We use readdir64 instead of readdir to work around Solaris bug 106 * 6395699: /proc/self/fd fails to report file descriptors >= 1024 on Solaris 9 107 */ 108 while ((dirp = readdir64(dp)) != NULL) { 109 int fd; 110 if (isAsciiDigit(dirp->d_name[0]) && 111 (fd = strtol(dirp->d_name, NULL, 10)) >= from_fd + 2) 112 close(fd); 113 } 114 115 closedir(dp); 116 117 return 1; 118 } 119 120 int 121 moveDescriptor(int fd_from, int fd_to) 122 { 123 if (fd_from != fd_to) { 124 if ((restartableDup2(fd_from, fd_to) == -1) || 125 (close(fd_from) == -1)) 126 return -1; 127 } 128 return 0; 129 } 130 131 int 132 magicNumber() { 133 return 43110; 134 } 135 136 /* 137 * Reads nbyte bytes from file descriptor fd into buf, 138 * The read operation is retried in case of EINTR or partial reads. 139 * 140 * Returns number of bytes read (normally nbyte, but may be less in 141 * case of EOF). In case of read errors, returns -1 and sets errno. 142 */ 143 ssize_t 144 readFully(int fd, void *buf, size_t nbyte) 145 { 146 ssize_t remaining = nbyte; 147 for (;;) { 148 ssize_t n = read(fd, buf, remaining); 149 if (n == 0) { 150 return nbyte - remaining; 151 } else if (n > 0) { 152 remaining -= n; 153 if (remaining <= 0) 154 return nbyte; 155 /* We were interrupted in the middle of reading the bytes. 156 * Unlikely, but possible. */ 157 buf = (void *) (((char *)buf) + n); 158 } else if (errno == EINTR) { 159 /* Strange signals like SIGJVM1 are possible at any time. 160 * See http://www.dreamsongs.com/WorseIsBetter.html */ 161 } else { 162 return -1; 163 } 164 } 165 } 166 167 void 168 initVectorFromBlock(const char**vector, const char* block, int count) 169 { 170 int i; 171 const char *p; 172 for (i = 0, p = block; i < count; i++) { 173 /* Invariant: p always points to the start of a C string. */ 174 vector[i] = p; 175 while (*(p++)); 176 } 177 vector[count] = NULL; 178 } 179 180 /** 181 * Exec FILE as a traditional Bourne shell script (i.e. one without #!). 182 * If we could do it over again, we would probably not support such an ancient 183 * misfeature, but compatibility wins over sanity. The original support for 184 * this was imported accidentally from execvp(). 185 */ 186 void 187 execve_as_traditional_shell_script(const char *file, 188 const char *argv[], 189 const char *const envp[]) 190 { 191 /* Use the extra word of space provided for us in argv by caller. */ 192 const char *argv0 = argv[0]; 193 const char *const *end = argv; 194 while (*end != NULL) 195 ++end; 196 memmove(argv+2, argv+1, (end-argv) * sizeof(*end)); 197 argv[0] = "/bin/sh"; 198 argv[1] = file; 199 execve(argv[0], (char **) argv, (char **) envp); 200 /* Can't even exec /bin/sh? Big trouble, but let's soldier on... */ 201 memmove(argv+1, argv+2, (end-argv) * sizeof(*end)); 202 argv[0] = argv0; 203 } 204 205 /** 206 * Like execve(2), except that in case of ENOEXEC, FILE is assumed to 207 * be a shell script and the system default shell is invoked to run it. 208 */ 209 void 210 execve_with_shell_fallback(int mode, const char *file, 211 const char *argv[], 212 const char *const envp[]) 213 { 214 if (mode == MODE_CLONE || mode == MODE_VFORK) { 215 /* shared address space; be very careful. */ 216 execve(file, (char **) argv, (char **) envp); 217 if (errno == ENOEXEC) 218 execve_as_traditional_shell_script(file, argv, envp); 219 } else { 220 /* unshared address space; we can mutate environ. */ 221 environ = (char **) envp; 222 execvp(file, (char **) argv); 223 } 224 } 225 226 /** 227 * 'execvpe' should have been included in the Unix standards, 228 * and is a GNU extension in glibc 2.10. 229 * 230 * JDK_execvpe is identical to execvp, except that the child environment is 231 * specified via the 3rd argument instead of being inherited from environ. 232 */ 233 void 234 JDK_execvpe(int mode, const char *file, 235 const char *argv[], 236 const char *const envp[]) 237 { 238 if (envp == NULL || (char **) envp == environ) { 239 execvp(file, (char **) argv); 240 return; 241 } 242 243 if (*file == '\0') { 244 errno = ENOENT; 245 return; 246 } 247 248 if (strchr(file, '/') != NULL) { 249 execve_with_shell_fallback(mode, file, argv, envp); 250 } else { 251 /* We must search PATH (parent's, not child's) */ 252 char expanded_file[PATH_MAX]; 253 int filelen = strlen(file); 254 int sticky_errno = 0; 255 const char * const * dirs; 256 for (dirs = parentPathv; *dirs; dirs++) { 257 const char * dir = *dirs; 258 int dirlen = strlen(dir); 259 if (filelen + dirlen + 2 >= PATH_MAX) { 260 errno = ENAMETOOLONG; 261 continue; 262 } 263 memcpy(expanded_file, dir, dirlen); 264 if (expanded_file[dirlen - 1] != '/') 265 expanded_file[dirlen++] = '/'; 266 memcpy(expanded_file + dirlen, file, filelen); 267 expanded_file[dirlen + filelen] = '\0'; 268 execve_with_shell_fallback(mode, expanded_file, argv, envp); 269 /* There are 3 responses to various classes of errno: 270 * return immediately, continue (especially for ENOENT), 271 * or continue with "sticky" errno. 272 * 273 * From exec(3): 274 * 275 * If permission is denied for a file (the attempted 276 * execve returned EACCES), these functions will continue 277 * searching the rest of the search path. If no other 278 * file is found, however, they will return with the 279 * global variable errno set to EACCES. 280 */ 281 switch (errno) { 282 case EACCES: 283 sticky_errno = errno; 284 /* FALLTHRU */ 285 case ENOENT: 286 case ENOTDIR: 287 #ifdef ELOOP 288 case ELOOP: 289 #endif 290 #ifdef ESTALE 291 case ESTALE: 292 #endif 293 #ifdef ENODEV 294 case ENODEV: 295 #endif 296 #ifdef ETIMEDOUT 297 case ETIMEDOUT: 298 #endif 299 break; /* Try other directories in PATH */ 300 default: 301 return; 302 } 303 } 304 if (sticky_errno != 0) 305 errno = sticky_errno; 306 } 307 } 308 309 /** 310 * Child process after a successful fork(). 311 * This function must not return, and must be prepared for either all 312 * of its address space to be shared with its parent, or to be a copy. 313 * It must not modify global variables such as "environ". 314 */ 315 int 316 childProcess(void *arg) 317 { 318 const ChildStuff* p = (const ChildStuff*) arg; 319 320 /* Close the parent sides of the pipes. 321 Closing pipe fds here is redundant, since closeDescriptors() 322 would do it anyways, but a little paranoia is a good thing. */ 323 if ((closeSafely(p->in[1]) == -1) || 324 (closeSafely(p->out[0]) == -1) || 325 (closeSafely(p->err[0]) == -1) || 326 (closeSafely(p->childenv[0]) == -1) || 327 (closeSafely(p->childenv[1]) == -1) || 328 (closeSafely(p->fail[0]) == -1)) 329 goto WhyCantJohnnyExec; 330 331 /* Give the child sides of the pipes the right fileno's. */ 332 /* Note: it is possible for in[0] == 0 */ 333 if ((moveDescriptor(p->in[0] != -1 ? p->in[0] : p->fds[0], 334 STDIN_FILENO) == -1) || 335 (moveDescriptor(p->out[1]!= -1 ? p->out[1] : p->fds[1], 336 STDOUT_FILENO) == -1)) 337 goto WhyCantJohnnyExec; 338 339 if (p->redirectErrorStream) { 340 if ((closeSafely(p->err[1]) == -1) || 341 (restartableDup2(STDOUT_FILENO, STDERR_FILENO) == -1)) 342 goto WhyCantJohnnyExec; 343 } else { 344 if (moveDescriptor(p->err[1] != -1 ? p->err[1] : p->fds[2], 345 STDERR_FILENO) == -1) 346 goto WhyCantJohnnyExec; 347 } 348 349 if (moveDescriptor(p->fail[1], FAIL_FILENO) == -1) 350 goto WhyCantJohnnyExec; 351 352 /* close everything */ 353 if (closeDescriptors() == 0) { /* failed, close the old way */ 354 int max_fd = (int)sysconf(_SC_OPEN_MAX); 355 int fd; 356 for (fd = FAIL_FILENO + 1; fd < max_fd; fd++) 357 if (close(fd) == -1 && errno != EBADF) 358 goto WhyCantJohnnyExec; 359 } 360 361 /* change to the new working directory */ 362 if (p->pdir != NULL && chdir(p->pdir) < 0) 363 goto WhyCantJohnnyExec; 364 365 if (fcntl(FAIL_FILENO, F_SETFD, FD_CLOEXEC) == -1) 366 goto WhyCantJohnnyExec; 367 368 JDK_execvpe(p->mode, p->argv[0], p->argv, p->envv); 369 370 WhyCantJohnnyExec: 371 /* We used to go to an awful lot of trouble to predict whether the 372 * child would fail, but there is no reliable way to predict the 373 * success of an operation without *trying* it, and there's no way 374 * to try a chdir or exec in the parent. Instead, all we need is a 375 * way to communicate any failure back to the parent. Easy; we just 376 * send the errno back to the parent over a pipe in case of failure. 377 * The tricky thing is, how do we communicate the *success* of exec? 378 * We use FD_CLOEXEC together with the fact that a read() on a pipe 379 * yields EOF when the write ends (we have two of them!) are closed. 380 */ 381 { 382 int errnum = errno; 383 restartableWrite(FAIL_FILENO, &errnum, sizeof(errnum)); 384 } 385 close(FAIL_FILENO); 386 _exit(-1); 387 return 0; /* Suppress warning "no return value from function" */ 388 }