gh-112334: Restore subprocess's use of vfork() & fix extra_groups=[] behavior
#112617
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…roups=[]`. Fixed a performance regression in 3.12's :mod:`subprocess` on Linux where it would no longer use the fast-path ``vfork()`` system call when it could have due to a logic bug, instead falling back to the safe but slower ``fork()``. Also fixed a second 3.12.0 potential security bug. If a value of ``extra_groups=[]`` was passed to :mod:`subprocess.Popen` or related APIs, the underlying ``setgroups(0, NULL)`` system call to clear the groups list would not be made in the child process prior to ``exec()``. The security issue was identified via code inspection in the process of fixing the first bug. Thanks to @vain for the detailed report and analysis in the initial bug on Github. * [ ] A regression test is desirable. I'm pondering a test that runs when `strace` is available and permitted which and confirms use of `vfork()` vs `clone()`...
gpshead
added
type-bug
gpshead
added
the
🔨 test-with-buildbots
bedevere-bot
removed
the
🔨 test-with-buildbots
|
@gpshead Thank you! FWIW, this fixes my test case. :) |
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Based on Serhiy's code review. (thanks!) Confirmed it still passes as root and non-root on Linux.
serhiy-storchaka
approved these changes
Dec 4, 2023
serhiy-storchaka
added
the
🔨 test-with-buildbots
|
🤖 New build scheduled with the buildbot fleet by @serhiy-storchaka for commit ce31462 🤖 If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again. |
bedevere-bot
removed
the
🔨 test-with-buildbots
|
Thanks @gpshead for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12. |
|
GH-112731 is a backport of this pull request to the 3.12 branch. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Dec 4, 2023
…roups=[]` behavior (pythonGH-112617) Restore `subprocess`'s intended use of `vfork()` by default for performance on Linux; also fixes the behavior of `extra_groups=[]` which was unintentionally broken in 3.12.0: Fixed a performance regression in 3.12's :mod:`subprocess` on Linux where it would no longer use the fast-path ``vfork()`` system call when it could have due to a logic bug, instead falling back to the safe but slower ``fork()``. Also fixed a security bug introduced in 3.12.0. If a value of ``extra_groups=[]`` was passed to :mod:`subprocess.Popen` or related APIs, the underlying ``setgroups(0, NULL)`` system call to clear the groups list would not be made in the child process prior to ``exec()``. The security issue was identified via code inspection in the process of fixing the first bug. Thanks to @vain for the detailed report and analysis in the initial bug on Github. (cherry picked from commit 9fe7655) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
I will add the desired vfork regression test in a followup PR. Merging now to unblock releasing the fix. |
gpshead
added a commit
that referenced
this pull request
Dec 4, 2023
…groups=[]` behavior (GH-112617) (#112731) Restore `subprocess`'s intended use of `vfork()` by default for performance on Linux; also fixes the behavior of `extra_groups=[]` which was unintentionally broken in 3.12.0: Fixed a performance regression in 3.12's :mod:`subprocess` on Linux where it would no longer use the fast-path ``vfork()`` system call when it could have due to a logic bug, instead falling back to the safe but slower ``fork()``. Also fixed a security bug introduced in 3.12.0. If a value of ``extra_groups=[]`` was passed to :mod:`subprocess.Popen` or related APIs, the underlying ``setgroups(0, NULL)`` system call to clear the groups list would not be made in the child process prior to ``exec()``. The security issue was identified via code inspection in the process of fixing the first bug. Thanks to @vain for the detailed report and analysis in the initial bug on Github. (cherry picked from commit 9fe7655) + Reword NEWS for the bugfix/security release. (mentions the assigned CVE number) Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
aisk
pushed a commit
to aisk/cpython
that referenced
this pull request
Feb 11, 2024
…roups=[]` behavior (python#112617) Restore `subprocess`'s intended use of `vfork()` by default for performance on Linux; also fixes the behavior of `extra_groups=[]` which was unintentionally broken in 3.12.0: Fixed a performance regression in 3.12's :mod:`subprocess` on Linux where it would no longer use the fast-path ``vfork()`` system call when it could have due to a logic bug, instead falling back to the safe but slower ``fork()``. Also fixed a security bug introduced in 3.12.0. If a value of ``extra_groups=[]`` was passed to :mod:`subprocess.Popen` or related APIs, the underlying ``setgroups(0, NULL)`` system call to clear the groups list would not be made in the child process prior to ``exec()``. The security issue was identified via code inspection in the process of fixing the first bug. Thanks to @vain for the detailed report and analysis in the initial bug on Github. Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixed a performance regression in 3.12's
subprocesson Linux where it would no longer use the fast-pathvfork()system call when it could have due to a logic bug, instead falling back to the safe but slowerfork().Also fixed a second 3.12.0 potential security bug. If a value of
extra_groups=[]was passed tosubprocess.Popenor related APIs, the underlyingsetgroups(0, NULL)system call to clear the groups list would not be made in the child process prior toexec().The security issue was identified via code inspection in the process of fixing the first bug. Thanks to @vain for the detailed report and analysis in the initial bug on Github.
straceis available and permitted which and confirms use ofvfork()vsclone()...setgroup()not being called is included in this PR. It must be run asrooton Linux. I believe one of our buildbots is configured to run that way.user=andgroup=parameters are also being used to drop privs...Fixes #112334.
The security issue has been assigned CVE-2023-6507.