diff --git a/pciutils-ocloexec.patch b/pciutils-ocloexec.patch new file mode 100644 index 0000000..0afc1ec --- /dev/null +++ b/pciutils-ocloexec.patch @@ -0,0 +1,118 @@ +--- lib/dump.c.orig ++++ lib/dump.c +@@ -64,7 +64,7 @@ dump_init(struct pci_access *a) + + if (!a) + a->error("dump: File name not given."); +- if (!(f = fopen(name, "r"))) ++ if (!(f = fopen(name, "re"))) + a->error("dump: Cannot open %s: %s", name, strerror(errno)); + while (fgets(buf, sizeof(buf)-1, f)) + { +--- lib/proc.c.orig ++++ lib/proc.c +@@ -62,7 +62,7 @@ proc_scan(struct pci_access *a) + + if (snprintf(buf, sizeof(buf), "%s/devices", pci_get_param(a, "proc.path")) == sizeof(buf)) + a->error("File name too long"); +- f = fopen(buf, "r"); ++ f = fopen(buf, "re"); + if (!f) + a->error("Cannot open %s", buf); + while (fgets(buf, sizeof(buf)-1, f)) +@@ -129,7 +129,7 @@ proc_setup(struct pci_dev *d, int rw) + if (e < 0 || e >= (int) sizeof(buf)) + a->error("File name too long"); + a->fd_rw = a->writeable || rw; +- a->fd = open(buf, a->fd_rw ? O_RDWR : O_RDONLY); ++ a->fd = open(buf, (a->fd_rw ? O_RDWR : O_RDONLY) | O_CLOEXEC); + if (a->fd < 0) + { + e = snprintf(buf, sizeof(buf), "%s/%04x:%02x/%02x.%d", +@@ -137,7 +137,7 @@ proc_setup(struct pci_dev *d, int rw) + d->domain, d->bus, d->dev, d->func); + if (e < 0 || e >= (int) sizeof(buf)) + a->error("File name too long"); +- a->fd = open(buf, a->fd_rw ? O_RDWR : O_RDONLY); ++ a->fd = open(buf, (a->fd_rw ? O_RDWR : O_RDONLY) | O_CLOEXEC); + } + if (a->fd < 0) + a->warning("Cannot open %s", buf); +--- lib/names-parse.c.orig ++++ lib/names-parse.c +@@ -52,7 +52,7 @@ static pci_file pci_open(struct pci_acce + typedef FILE * pci_file; + #define pci_gets(f, l, s) fgets(l, s, f) + #define pci_eof(f) feof(f) +-#define pci_open(a) fopen(a->id_file_name, "r") ++#define pci_open(a) fopen(a->id_file_name, "re") + #define pci_close(f) fclose(f) + #define PCI_ERROR(f, err) if (!err && ferror(f)) err = "I/O error"; + #endif +--- lib/names-cache.c.orig ++++ lib/names-cache.c +@@ -62,7 +62,7 @@ pci_id_cache_load(struct pci_access *a, + return 0; + } + +- f = fopen(name, "rb"); ++ f = fopen(name, "rbe"); + if (!f) + { + a->debug("Cache file does not exist\n"); +@@ -135,7 +135,7 @@ pci_id_cache_flush(struct pci_access *a) + tmpname = pci_malloc(a, strlen(name) + strlen(hostname) + 64); + sprintf(tmpname, "%s.tmp-%s-%d", name, hostname, this_pid); + +- f = fopen(tmpname, "wb"); ++ f = fopen(tmpname, "wbe"); + if (!f) + { + a->warning("Cannot write to %s: %s", name, strerror(errno)); +--- lib/sysfs.c.orig ++++ lib/sysfs.c +@@ -93,7 +93,7 @@ sysfs_get_value(struct pci_dev *d, char + char namebuf[OBJNAMELEN], buf[256]; + + sysfs_obj_name(d, object, namebuf); +- fd = open(namebuf, O_RDONLY); ++ fd = open(namebuf, O_RDONLY|O_CLOEXEC); + if (fd < 0) + a->error("Cannot open %s: %s", namebuf, strerror(errno)); + n = read(fd, buf, sizeof(buf)); +@@ -115,7 +115,7 @@ sysfs_get_resources(struct pci_dev *d) + int i; + + sysfs_obj_name(d, "resource", namebuf); +- file = fopen(namebuf, "r"); ++ file = fopen(namebuf, "re"); + if (!file) + a->error("Cannot open %s: %s", namebuf, strerror(errno)); + for (i = 0; i < 7; i++) +@@ -220,7 +220,7 @@ sysfs_fill_slots(struct pci_access *a) + n = snprintf(namebuf, OBJNAMELEN, "%s/%s/%s", dirname, entry->d_name, "address"); + if (n < 0 || n >= OBJNAMELEN) + a->error("File name too long"); +- file = fopen(namebuf, "r"); ++ file = fopen(namebuf, "re"); + /* + * Old versions of Linux had a fakephp which didn't have an 'address' + * file. There's no useful information to be gleaned from these +@@ -283,7 +283,7 @@ sysfs_setup(struct pci_dev *d, int inten + if (a->fd_vpd < 0) + { + sysfs_obj_name(d, "vpd", namebuf); +- a->fd_vpd = open(namebuf, O_RDONLY); ++ a->fd_vpd = open(namebuf, O_RDONLY|O_CLOEXEC); + /* No warning on error; vpd may be absent or accessible only to root */ + } + return a->fd_vpd; +@@ -293,7 +293,7 @@ sysfs_setup(struct pci_dev *d, int inten + { + sysfs_obj_name(d, "config", namebuf); + a->fd_rw = a->writeable || intent == SETUP_WRITE_CONFIG; +- a->fd = open(namebuf, a->fd_rw ? O_RDWR : O_RDONLY); ++ a->fd = open(namebuf, (a->fd_rw ? O_RDWR : O_RDONLY) | O_CLOEXEC); + if (a->fd < 0) + a->warning("Cannot open %s", namebuf); + a->fd_pos = 0; diff --git a/pciutils.changes b/pciutils.changes index 41b93a8..d72b95b 100644 --- a/pciutils.changes +++ b/pciutils.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Nov 14 22:34:42 UTC 2011 - crrodriguez@opensuse.org + +- open all file descriptors with O_CLOEXEC,specially important + on libpci and calling apps may fork() and we end up leaking + information to child processes. + ------------------------------------------------------------------- Mon Mar 21 16:52:43 UTC 2011 - coolo@novell.com diff --git a/pciutils.spec b/pciutils.spec index 0865a09..9c0bee4 100644 --- a/pciutils.spec +++ b/pciutils.spec @@ -1,7 +1,7 @@ # -# spec file for package pciutils (Version 3.1.7) +# spec file for package pciutils # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Name: pciutils Version: 3.1.7 -Release: 7 +Release: 11 BuildRequires: zlib-devel BuildRequires: pkg-config Requires: pciutils-ids @@ -39,6 +39,7 @@ Source1: COPYING Source2: baselibs.conf Patch: update-pciutils-dist Patch1: %{name}-%{version}_pkgconfig.patch +Patch2: pciutils-ocloexec.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -84,6 +85,7 @@ Authors: %setup -q %patch -p1 %patch1 +%patch2 %build make %{?_smp_mflags} OPT="$RPM_OPT_FLAGS -Wall" PREFIX=%{_prefix} LIBDIR=/%{_lib} SBINDIR=/sbin STRIP="" SHARED="yes"