Do not close FDs 0, 1, or 2

If they are closed, another file descriptor could be created with these numbers, and so standard library functions that use them might write to an unwanted place. dup2() a file descriptor to /dev/null over them instead.
QubesOS · Jan 9, 2025 · 29a0392 · 29a0392
1 parent 6077a10
commit 29a0392
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/agent/qrexec-agent.c b/agent/qrexec-agent.c
@@ -71,10 +71,12 @@ static libvchan_t *ctrl_vchan;
 
 static pid_t wait_for_session_pid = -1;
 
-static int trigger_fd;
+static int trigger_fd = -1;
 
 static int terminate_requested;
 
+static int null_fd = -1;
+
 static int meminfo_write_started = 0;
 
 static const char *agent_trigger_path = QREXEC_AGENT_TRIGGER_PATH;
@@ -288,9 +290,12 @@ _Noreturn void do_exec(const char *cmd, const char *user)
             /* parent */
             /* close std*, so when child process closes them, qrexec-agent will receive EOF */
             /* this is the main purpose of this reimplementation of /bin/su... */
-            close(0);
-            close(1);
-            close(2);
+            for (int i = 0; i < 3; ++i) {
+                int j;
+                do {
+                    j = dup2(null_fd, i);
+                } while (j == -1 && errno == EINTR);
+            }
     }
 
     /* reachable only in parent */
@@ -379,6 +384,9 @@ static void init(void)
     if (handle_handshake(ctrl_vchan) < 0)
         exit(1);
     old_umask = umask(0);
+    null_fd = open("/dev/null", O_RDWR|O_CLOEXEC|O_NOCTTY);
+    if (null_fd == -1)
+        err(1, "open /dev/null");
     trigger_fd = get_server_socket(agent_trigger_path);
     umask(old_umask);
     register_exec_func(do_exec);