Skip to content

os.RemoveAll: openFdAt function without O_CLOEXEC and cause fd escape to child process [1.12 backport] #33424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Aug 2, 2019 · 11 comments
Closed

os.RemoveAll: openFdAt function without O_CLOEXEC and cause fd escape to child process [1.12 backport] #33424

gopherbot opened this issue Aug 2, 2019 · 11 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge
Milestone
Go1.12.9

Comments

@gopherbot
Copy link
Contributor

@oiooj requested issue #33405 to be considered for backport to the next 1.12 minor release.

Yes, I think it should be backport to 1.12. Hi, @gopherbot please open backport to 1.12
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Aug 2, 2019
@gopherbot gopherbot mentioned this issue Aug 2, 2019
Closed
@gopherbot gopherbot added this to the Go1.12.8 milestone Aug 2, 2019
@gopherbot
Copy link
Contributor Author

Change https://golang.org/cl/188538 mentions this issue: [release-branch.go1.12] os: enable the close-on-exec flag for openFdAt

@oiooj
Copy link
Member

oiooj commented Aug 2, 2019

Ping @ianlancetaylor

gopherbot pushed a commit that referenced this issue Aug 2, 2019
@oiooj @ianlancetaylor
[release-branch.go1.12] os: enable the close-on-exec flag for openFdAt
047a326 
There's a race here with fork/exec, enable the close-on-exec flag
for the new file descriptor.

Updates #33405
Fixes #33424

Change-Id: Ib1e405c3b48b11c867f183fd13eff8b73d95e3b4
Reviewed-on: https://go-review.googlesource.com/c/go/+/188537
Run-TryBot: Baokun Lee <nototon@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
(cherry picked from commit 2d6ee6e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/188538
Run-TryBot: Ian Lance Taylor <iant@golang.org>
@gopherbot
Copy link
Contributor Author

Closed by merging 047a326 to release-branch.go1.12.

@dmitshur dmitshur modified the milestones: Go1.12.8, Go1.12.9 Aug 13, 2019
@dmitshur
Copy link
Contributor

This backport has been approved and merged to the release branch; updating label to CherryPickApproved to reflect that. The rationale was that this was a serious problem with no workaround.

@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Aug 15, 2019
@oiooj
Copy link
Member

oiooj commented Aug 15, 2019

@dmitshur I was surprised that this fix is not in the 1.12.8 release. https://groups.google.com/forum/m/#!topic/golang-dev/CL4in60FCuA

@dmitshur
Copy link
Contributor

@oiooj It's because Go 1.12.8 was a security release, so its contents are just Go 1.12.7 with the security fixes applied. The next point release, Go 1.12.9, will include both the security fixes from 1.12.8 and all other changes that have been backported to the 1.12 release branch (release-branch.go1.12) since 1.12.7. This backport will be included.

@oiooj
Copy link
Member

oiooj commented Aug 15, 2019
edited
Loading

@dmitshur Thanks, but the users need to wait for another month? and some users thought that this fixed in v1.12.8 release, see kubernetes/minikube#5087 and kubernetes/kubernetes#79912.

@dmitshur
Copy link
Contributor

The Go 1.12.9 point release is coming out very soon after the security release. It's planned to be released today.

@estesp estesp mentioned this issue Aug 15, 2019
Merged
@fuweid
Copy link
Contributor

fuweid commented Aug 15, 2019

@dmitshur I was thinking it is in the .8 point release. Is it good idea to have pre-release note about the coming point release? I checked https://groups.google.com/forum/#!topic/golang-nuts/-Ba7cHufTKc and considered the fd leaking is one of security issue. But it didn't. So if there is any pre-release note, it will be helpful! thanks

@dmitshur
Copy link
Contributor

dmitshur commented Aug 15, 2019
edited
Loading

For security releases, we can't include the details of the security fixes in the pre-announcement until the security release is available. For all other releases, you can look at the upcoming milestone, e.g., Go1.12.9, and see which cherry-pick candidates have been approved to get a sense what's coming in the next point release. See https://golang.org/wiki/MinorReleases and https://golang.org/security for more information about this process.

If you'd like to discuss the release process further or make suggestions, please start a new thread in the golang-dev mailing list.

@fuweid
Copy link
Contributor

fuweid commented Aug 16, 2019

@dmitshur thanks for the reply.

@warmchang warmchang mentioned this issue Aug 16, 2019
Closed
@tao12345666333 tao12345666333 mentioned this issue Aug 16, 2019
Merged
@golang golang locked and limited conversation to collaborators Aug 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge
Projects
None yet
Milestone
Go1.12.9
Development

No branches or pull requests
4 participants
@dmitshur @oiooj @gopherbot @fuweid