1 /*
   2  * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  */
  23 
  24 #include <dirent.h>
  25 #include <errno.h>
  26 #include <fcntl.h>
  27 #include <stdlib.h>
  28 #include <string.h>
  29 #include <unistd.h>
  30 #include <limits.h>
  31 
  32 #include "childproc.h"
  33 
  34 
  35 ssize_t
  36 restartableWrite(int fd, const void *buf, size_t count)
  37 {
  38     ssize_t result;
  39     RESTARTABLE(write(fd, buf, count), result);
  40     return result;
  41 }
  42 
  43 int
  44 restartableDup2(int fd_from, int fd_to)
  45 {
  46     int err;
  47     RESTARTABLE(dup2(fd_from, fd_to), err);
  48     return err;
  49 }
  50 
  51 int
  52 restartableClose(int fd)
  53 {
  54     int err;
  55     RESTARTABLE(close(fd), err);
  56     return err;
  57 }
  58 
  59 int
  60 closeSafely(int fd)
  61 {
  62     return (fd == -1) ? 0 : restartableClose(fd);
  63 }
  64 
  65 int
  66 isAsciiDigit(char c)
  67 {
  68   return c >= '0' && c <= '9';
  69 }
  70 
  71 #ifdef _ALLBSD_SOURCE
  72 #define FD_DIR "/dev/fd"
  73 #define dirent64 dirent
  74 #define readdir64 readdir
  75 #else
  76 #define FD_DIR "/proc/self/fd"
  77 #endif
  78 
  79 int
  80 closeDescriptors(void)
  81 {
  82     DIR *dp;
  83     struct dirent64 *dirp;
  84     int from_fd = FAIL_FILENO + 1;
  85 
  86     /* We're trying to close all file descriptors, but opendir() might
  87      * itself be implemented using a file descriptor, and we certainly
  88      * don't want to close that while it's in use.  We assume that if
  89      * opendir() is implemented using a file descriptor, then it uses
  90      * the lowest numbered file descriptor, just like open().  So we
  91      * close a couple explicitly.  */
  92 
  93     restartableClose(from_fd);          /* for possible use by opendir() */
  94     restartableClose(from_fd + 1);      /* another one for good luck */
  95 
  96     if ((dp = opendir(FD_DIR)) == NULL)
  97         return 0;
  98 
  99     /* We use readdir64 instead of readdir to work around Solaris bug
 100      * 6395699: /proc/self/fd fails to report file descriptors >= 1024 on Solaris 9
 101      */
 102     while ((dirp = readdir64(dp)) != NULL) {
 103         int fd;
 104         if (isAsciiDigit(dirp->d_name[0]) &&
 105             (fd = strtol(dirp->d_name, NULL, 10)) >= from_fd + 2)
 106             restartableClose(fd);
 107     }
 108 
 109     closedir(dp);
 110 
 111     return 1;
 112 }
 113 
 114 int
 115 moveDescriptor(int fd_from, int fd_to)
 116 {
 117     if (fd_from != fd_to) {
 118         if ((restartableDup2(fd_from, fd_to) == -1) ||
 119             (restartableClose(fd_from) == -1))
 120             return -1;
 121     }
 122     return 0;
 123 }
 124 
 125 int
 126 magicNumber() {
 127     return 43110;
 128 }
 129 
 130 /*
 131  * Reads nbyte bytes from file descriptor fd into buf,
 132  * The read operation is retried in case of EINTR or partial reads.
 133  *
 134  * Returns number of bytes read (normally nbyte, but may be less in
 135  * case of EOF).  In case of read errors, returns -1 and sets errno.
 136  */
 137 ssize_t
 138 readFully(int fd, void *buf, size_t nbyte)
 139 {
 140     ssize_t remaining = nbyte;
 141     for (;;) {
 142         ssize_t n = read(fd, buf, remaining);
 143         if (n == 0) {
 144             return nbyte - remaining;
 145         } else if (n > 0) {
 146             remaining -= n;
 147             if (remaining <= 0)
 148                 return nbyte;
 149             /* We were interrupted in the middle of reading the bytes.
 150              * Unlikely, but possible. */
 151             buf = (void *) (((char *)buf) + n);
 152         } else if (errno == EINTR) {
 153             /* Strange signals like SIGJVM1 are possible at any time.
 154              * See http://www.dreamsongs.com/WorseIsBetter.html */
 155         } else {
 156             return -1;
 157         }
 158     }
 159 }
 160 
 161 void
 162 initVectorFromBlock(const char**vector, const char* block, int count)
 163 {
 164     int i;
 165     const char *p;
 166     for (i = 0, p = block; i < count; i++) {
 167         /* Invariant: p always points to the start of a C string. */
 168         vector[i] = p;
 169         while (*(p++));
 170     }
 171     vector[count] = NULL;
 172 }
 173 
 174 /**
 175  * Exec FILE as a traditional Bourne shell script (i.e. one without #!).
 176  * If we could do it over again, we would probably not support such an ancient
 177  * misfeature, but compatibility wins over sanity.  The original support for
 178  * this was imported accidentally from execvp().
 179  */
 180 void
 181 execve_as_traditional_shell_script(const char *file,
 182                                    const char *argv[],
 183                                    const char *const envp[])
 184 {
 185     /* Use the extra word of space provided for us in argv by caller. */
 186     const char *argv0 = argv[0];
 187     const char *const *end = argv;
 188     while (*end != NULL)
 189         ++end;
 190     memmove(argv+2, argv+1, (end-argv) * sizeof (*end));
 191     argv[0] = "/bin/sh";
 192     argv[1] = file;
 193     execve(argv[0], (char **) argv, (char **) envp);
 194     /* Can't even exec /bin/sh?  Big trouble, but let's soldier on... */
 195     memmove(argv+1, argv+2, (end-argv) * sizeof (*end));
 196     argv[0] = argv0;
 197 }
 198 
 199 /**
 200  * Like execve(2), except that in case of ENOEXEC, FILE is assumed to
 201  * be a shell script and the system default shell is invoked to run it.
 202  */
 203 void
 204 execve_with_shell_fallback(int mode, const char *file,
 205                            const char *argv[],
 206                            const char *const envp[])
 207 {
 208     if (mode == MODE_CLONE || mode == MODE_VFORK) {
 209         /* shared address space; be very careful. */
 210         execve(file, (char **) argv, (char **) envp);
 211         if (errno == ENOEXEC)
 212             execve_as_traditional_shell_script(file, argv, envp);
 213     } else {
 214         /* unshared address space; we can mutate environ. */
 215         environ = (char **) envp;
 216         execvp(file, (char **) argv);
 217     }
 218 }
 219 
 220 /**
 221  * 'execvpe' should have been included in the Unix standards,
 222  * and is a GNU extension in glibc 2.10.
 223  *
 224  * JDK_execvpe is identical to execvp, except that the child environment is
 225  * specified via the 3rd argument instead of being inherited from environ.
 226  */
 227 void
 228 JDK_execvpe(int mode, const char *file,
 229             const char *argv[],
 230             const char *const envp[])
 231 {
 232     if (envp == NULL || (char **) envp == environ) {
 233         execvp(file, (char **) argv);
 234         return;
 235     }
 236 
 237     if (*file == '\0') {
 238         errno = ENOENT;
 239         return;
 240     }
 241 
 242     if (strchr(file, '/') != NULL) {
 243         execve_with_shell_fallback(mode, file, argv, envp);
 244     } else {
 245         /* We must search PATH (parent's, not child's) */
 246         char expanded_file[PATH_MAX];
 247         int filelen = strlen(file);
 248         int sticky_errno = 0;
 249         const char * const * dirs;
 250         for (dirs = parentPathv; *dirs; dirs++) {
 251             const char * dir = *dirs;
 252             int dirlen = strlen(dir);
 253             if (filelen + dirlen + 2 >= PATH_MAX) {
 254                 errno = ENAMETOOLONG;
 255                 continue;
 256             }
 257             memcpy(expanded_file, dir, dirlen);
 258             if (expanded_file[dirlen - 1] != '/')
 259                 expanded_file[dirlen++] = '/';
 260             memcpy(expanded_file + dirlen, file, filelen);
 261             expanded_file[dirlen + filelen] = '\0';
 262             execve_with_shell_fallback(mode, expanded_file, argv, envp);
 263             /* There are 3 responses to various classes of errno:
 264              * return immediately, continue (especially for ENOENT),
 265              * or continue with "sticky" errno.
 266              *
 267              * From exec(3):
 268              *
 269              * If permission is denied for a file (the attempted
 270              * execve returned EACCES), these functions will continue
 271              * searching the rest of the search path.  If no other
 272              * file is found, however, they will return with the
 273              * global variable errno set to EACCES.
 274              */
 275             switch (errno) {
 276             case EACCES:
 277                 sticky_errno = errno;
 278                 /* FALLTHRU */
 279             case ENOENT:
 280             case ENOTDIR:
 281 #ifdef ELOOP
 282             case ELOOP:
 283 #endif
 284 #ifdef ESTALE
 285             case ESTALE:
 286 #endif
 287 #ifdef ENODEV
 288             case ENODEV:
 289 #endif
 290 #ifdef ETIMEDOUT
 291             case ETIMEDOUT:
 292 #endif
 293                 break; /* Try other directories in PATH */
 294             default:
 295                 return;
 296             }
 297         }
 298         if (sticky_errno != 0)
 299             errno = sticky_errno;
 300     }
 301 }
 302 
 303 /**
 304  * Child process after a successful fork() or clone().
 305  * This function must not return, and must be prepared for either all
 306  * of its address space to be shared with its parent, or to be a copy.
 307  * It must not modify global variables such as "environ".
 308  */
 309 int
 310 childProcess(void *arg)
 311 {
 312     const ChildStuff* p = (const ChildStuff*) arg;
 313 
 314     /* Close the parent sides of the pipes.
 315        Closing pipe fds here is redundant, since closeDescriptors()
 316        would do it anyways, but a little paranoia is a good thing. */
 317     if ((closeSafely(p->in[1])   == -1) ||
 318         (closeSafely(p->out[0])  == -1) ||
 319         (closeSafely(p->err[0])  == -1) ||
 320         (closeSafely(p->childenv[0])  == -1) ||
 321         (closeSafely(p->childenv[1])  == -1) ||
 322         (closeSafely(p->fail[0]) == -1))
 323         goto WhyCantJohnnyExec;
 324 
 325     /* Give the child sides of the pipes the right fileno's. */
 326     /* Note: it is possible for in[0] == 0 */
 327     if ((moveDescriptor(p->in[0] != -1 ?  p->in[0] : p->fds[0],
 328                         STDIN_FILENO) == -1) ||
 329         (moveDescriptor(p->out[1]!= -1 ? p->out[1] : p->fds[1],
 330                         STDOUT_FILENO) == -1))
 331         goto WhyCantJohnnyExec;
 332 
 333     if (p->redirectErrorStream) {
 334         if ((closeSafely(p->err[1]) == -1) ||
 335             (restartableDup2(STDOUT_FILENO, STDERR_FILENO) == -1))
 336             goto WhyCantJohnnyExec;
 337     } else {
 338         if (moveDescriptor(p->err[1] != -1 ? p->err[1] : p->fds[2],
 339                            STDERR_FILENO) == -1)
 340             goto WhyCantJohnnyExec;
 341     }
 342 
 343     if (moveDescriptor(p->fail[1], FAIL_FILENO) == -1)
 344         goto WhyCantJohnnyExec;
 345 
 346     /* close everything */
 347     if (closeDescriptors() == 0) { /* failed,  close the old way */
 348         int max_fd = (int)sysconf(_SC_OPEN_MAX);
 349         int fd;
 350         for (fd = FAIL_FILENO + 1; fd < max_fd; fd++)
 351             if (restartableClose(fd) == -1 && errno != EBADF)
 352                 goto WhyCantJohnnyExec;
 353     }
 354 
 355     /* change to the new working directory */
 356     if (p->pdir != NULL && chdir(p->pdir) < 0)
 357         goto WhyCantJohnnyExec;
 358 
 359     if (fcntl(FAIL_FILENO, F_SETFD, FD_CLOEXEC) == -1)
 360         goto WhyCantJohnnyExec;
 361 
 362     JDK_execvpe(p->mode, p->argv[0], p->argv, p->envv);
 363 
 364  WhyCantJohnnyExec:
 365     /* We used to go to an awful lot of trouble to predict whether the
 366      * child would fail, but there is no reliable way to predict the
 367      * success of an operation without *trying* it, and there's no way
 368      * to try a chdir or exec in the parent.  Instead, all we need is a
 369      * way to communicate any failure back to the parent.  Easy; we just
 370      * send the errno back to the parent over a pipe in case of failure.
 371      * The tricky thing is, how do we communicate the *success* of exec?
 372      * We use FD_CLOEXEC together with the fact that a read() on a pipe
 373      * yields EOF when the write ends (we have two of them!) are closed.
 374      */
 375     {
 376         int errnum = errno;
 377         restartableWrite(FAIL_FILENO, &errnum, sizeof(errnum));
 378     }
 379     restartableClose(FAIL_FILENO);
 380     _exit(-1);
 381     return 0;  /* Suppress warning "no return value from function" */
 382 }