diff options
Diffstat (limited to 'run-command.c')
| -rw-r--r-- | run-command.c | 457 | 
1 files changed, 377 insertions, 80 deletions
| diff --git a/run-command.c b/run-command.c index 574b81d3e8..9e36151bf9 100644 --- a/run-command.c +++ b/run-command.c @@ -117,18 +117,65 @@ static inline void close_pair(int fd[2])  	close(fd[1]);  } -#ifndef GIT_WINDOWS_NATIVE -static inline void dup_devnull(int to) +int is_executable(const char *name)  { -	int fd = open("/dev/null", O_RDWR); -	if (fd < 0) -		die_errno(_("open /dev/null failed")); -	if (dup2(fd, to) < 0) -		die_errno(_("dup2(%d,%d) failed"), fd, to); -	close(fd); +	struct stat st; + +	if (stat(name, &st) || /* stat, not lstat */ +	    !S_ISREG(st.st_mode)) +		return 0; + +#if defined(GIT_WINDOWS_NATIVE) +	/* +	 * On Windows there is no executable bit. The file extension +	 * indicates whether it can be run as an executable, and Git +	 * has special-handling to detect scripts and launch them +	 * through the indicated script interpreter. We test for the +	 * file extension first because virus scanners may make +	 * it quite expensive to open many files. +	 */ +	if (ends_with(name, ".exe")) +		return S_IXUSR; + +{ +	/* +	 * Now that we know it does not have an executable extension, +	 * peek into the file instead. +	 */ +	char buf[3] = { 0 }; +	int n; +	int fd = open(name, O_RDONLY); +	st.st_mode &= ~S_IXUSR; +	if (fd >= 0) { +		n = read(fd, buf, 2); +		if (n == 2) +			/* look for a she-bang */ +			if (!strcmp(buf, "#!")) +				st.st_mode |= S_IXUSR; +		close(fd); +	}  }  #endif +	return st.st_mode & S_IXUSR; +} +/* + * Search $PATH for a command.  This emulates the path search that + * execvp would perform, without actually executing the command so it + * can be used before fork() to prepare to run a command using + * execve() or after execvp() to diagnose why it failed. + * + * The caller should ensure that file contains no directory + * separators. + * + * Returns the path to the command, as found in $PATH or NULL if the + * command could not be found.  The caller inherits ownership of the memory + * used to store the resultant path. + * + * This should not be used on Windows, where the $PATH search rules + * are more complicated (e.g., a search for "foo" should find + * "foo.exe"). + */  static char *locate_in_PATH(const char *file)  {  	const char *p = getenv("PATH"); @@ -149,7 +196,7 @@ static char *locate_in_PATH(const char *file)  		}  		strbuf_addstr(&buf, file); -		if (!access(buf.buf, F_OK)) +		if (is_executable(buf.buf))  			return strbuf_detach(&buf, NULL);  		if (!*end) @@ -221,31 +268,248 @@ static const char **prepare_shell_cmd(struct argv_array *out, const char **argv)  }  #ifndef GIT_WINDOWS_NATIVE -static int execv_shell_cmd(const char **argv) +static int child_notifier = -1; + +enum child_errcode { +	CHILD_ERR_CHDIR, +	CHILD_ERR_DUP2, +	CHILD_ERR_CLOSE, +	CHILD_ERR_SIGPROCMASK, +	CHILD_ERR_ENOENT, +	CHILD_ERR_SILENT, +	CHILD_ERR_ERRNO +}; + +struct child_err { +	enum child_errcode err; +	int syserr; /* errno */ +}; + +static void child_die(enum child_errcode err)  { -	struct argv_array nargv = ARGV_ARRAY_INIT; -	prepare_shell_cmd(&nargv, argv); -	trace_argv_printf(nargv.argv, "trace: exec:"); -	sane_execvp(nargv.argv[0], (char **)nargv.argv); -	argv_array_clear(&nargv); -	return -1; +	struct child_err buf; + +	buf.err = err; +	buf.syserr = errno; + +	/* write(2) on buf smaller than PIPE_BUF (min 512) is atomic: */ +	xwrite(child_notifier, &buf, sizeof(buf)); +	_exit(1);  } -#endif -#ifndef GIT_WINDOWS_NATIVE -static int child_notifier = -1; +static void child_dup2(int fd, int to) +{ +	if (dup2(fd, to) < 0) +		child_die(CHILD_ERR_DUP2); +} -static void notify_parent(void) +static void child_close(int fd)  { +	if (close(fd)) +		child_die(CHILD_ERR_CLOSE); +} + +static void child_close_pair(int fd[2]) +{ +	child_close(fd[0]); +	child_close(fd[1]); +} + +/* + * parent will make it look like the child spewed a fatal error and died + * this is needed to prevent changes to t0061. + */ +static void fake_fatal(const char *err, va_list params) +{ +	vreportf("fatal: ", err, params); +} + +static void child_error_fn(const char *err, va_list params) +{ +	const char msg[] = "error() should not be called in child\n"; +	xwrite(2, msg, sizeof(msg) - 1); +} + +static void child_warn_fn(const char *err, va_list params) +{ +	const char msg[] = "warn() should not be called in child\n"; +	xwrite(2, msg, sizeof(msg) - 1); +} + +static void NORETURN child_die_fn(const char *err, va_list params) +{ +	const char msg[] = "die() should not be called in child\n"; +	xwrite(2, msg, sizeof(msg) - 1); +	_exit(2); +} + +/* this runs in the parent process */ +static void child_err_spew(struct child_process *cmd, struct child_err *cerr) +{ +	static void (*old_errfn)(const char *err, va_list params); + +	old_errfn = get_error_routine(); +	set_error_routine(fake_fatal); +	errno = cerr->syserr; + +	switch (cerr->err) { +	case CHILD_ERR_CHDIR: +		error_errno("exec '%s': cd to '%s' failed", +			    cmd->argv[0], cmd->dir); +		break; +	case CHILD_ERR_DUP2: +		error_errno("dup2() in child failed"); +		break; +	case CHILD_ERR_CLOSE: +		error_errno("close() in child failed"); +		break; +	case CHILD_ERR_SIGPROCMASK: +		error_errno("sigprocmask failed restoring signals"); +		break; +	case CHILD_ERR_ENOENT: +		error_errno("cannot run %s", cmd->argv[0]); +		break; +	case CHILD_ERR_SILENT: +		break; +	case CHILD_ERR_ERRNO: +		error_errno("cannot exec '%s'", cmd->argv[0]); +		break; +	} +	set_error_routine(old_errfn); +} + +static void prepare_cmd(struct argv_array *out, const struct child_process *cmd) +{ +	if (!cmd->argv[0]) +		die("BUG: command is empty"); + +	/* +	 * Add SHELL_PATH so in the event exec fails with ENOEXEC we can +	 * attempt to interpret the command with 'sh'. +	 */ +	argv_array_push(out, SHELL_PATH); + +	if (cmd->git_cmd) { +		argv_array_push(out, "git"); +		argv_array_pushv(out, cmd->argv); +	} else if (cmd->use_shell) { +		prepare_shell_cmd(out, cmd->argv); +	} else { +		argv_array_pushv(out, cmd->argv); +	} +  	/* -	 * execvp failed.  If possible, we'd like to let start_command -	 * know, so failures like ENOENT can be handled right away; but -	 * otherwise, finish_command will still report the error. +	 * If there are no '/' characters in the command then perform a path +	 * lookup and use the resolved path as the command to exec.  If there +	 * are no '/' characters or if the command wasn't found in the path, +	 * have exec attempt to invoke the command directly.  	 */ -	xwrite(child_notifier, "", 1); +	if (!strchr(out->argv[1], '/')) { +		char *program = locate_in_PATH(out->argv[1]); +		if (program) { +			free((char *)out->argv[1]); +			out->argv[1] = program; +		} +	} +} + +static char **prep_childenv(const char *const *deltaenv) +{ +	extern char **environ; +	char **childenv; +	struct string_list env = STRING_LIST_INIT_DUP; +	struct strbuf key = STRBUF_INIT; +	const char *const *p; +	int i; + +	/* Construct a sorted string list consisting of the current environ */ +	for (p = (const char *const *) environ; p && *p; p++) { +		const char *equals = strchr(*p, '='); + +		if (equals) { +			strbuf_reset(&key); +			strbuf_add(&key, *p, equals - *p); +			string_list_append(&env, key.buf)->util = (void *) *p; +		} else { +			string_list_append(&env, *p)->util = (void *) *p; +		} +	} +	string_list_sort(&env); + +	/* Merge in 'deltaenv' with the current environ */ +	for (p = deltaenv; p && *p; p++) { +		const char *equals = strchr(*p, '='); + +		if (equals) { +			/* ('key=value'), insert or replace entry */ +			strbuf_reset(&key); +			strbuf_add(&key, *p, equals - *p); +			string_list_insert(&env, key.buf)->util = (void *) *p; +		} else { +			/* otherwise ('key') remove existing entry */ +			string_list_remove(&env, *p, 0); +		} +	} + +	/* Create an array of 'char *' to be used as the childenv */ +	childenv = xmalloc((env.nr + 1) * sizeof(char *)); +	for (i = 0; i < env.nr; i++) +		childenv[i] = env.items[i].util; +	childenv[env.nr] = NULL; + +	string_list_clear(&env, 0); +	strbuf_release(&key); +	return childenv; +} + +struct atfork_state { +#ifndef NO_PTHREADS +	int cs; +#endif +	sigset_t old; +}; + +#ifndef NO_PTHREADS +static void bug_die(int err, const char *msg) +{ +	if (err) { +		errno = err; +		die_errno("BUG: %s", msg); +	}  }  #endif +static void atfork_prepare(struct atfork_state *as) +{ +	sigset_t all; + +	if (sigfillset(&all)) +		die_errno("sigfillset"); +#ifdef NO_PTHREADS +	if (sigprocmask(SIG_SETMASK, &all, &as->old)) +		die_errno("sigprocmask"); +#else +	bug_die(pthread_sigmask(SIG_SETMASK, &all, &as->old), +		"blocking all signals"); +	bug_die(pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &as->cs), +		"disabling cancellation"); +#endif +} + +static void atfork_parent(struct atfork_state *as) +{ +#ifdef NO_PTHREADS +	if (sigprocmask(SIG_SETMASK, &as->old, NULL)) +		die_errno("sigprocmask"); +#else +	bug_die(pthread_setcancelstate(as->cs, NULL), +		"re-enabling cancellation"); +	bug_die(pthread_sigmask(SIG_SETMASK, &as->old, NULL), +		"restoring signal mask"); +#endif +} +#endif /* GIT_WINDOWS_NATIVE */ +  static inline void set_cloexec(int fd)  {  	int flags = fcntl(fd, F_GETFD); @@ -281,13 +545,6 @@ static int wait_or_whine(pid_t pid, const char *argv0, int in_signal)  		code += 128;  	} else if (WIFEXITED(status)) {  		code = WEXITSTATUS(status); -		/* -		 * Convert special exit code when execvp failed. -		 */ -		if (code == 127) { -			code = -1; -			failed_errno = ENOENT; -		}  	} else {  		error("waitpid is confused (%s)", argv0);  	} @@ -372,109 +629,149 @@ fail_pipe:  #ifndef GIT_WINDOWS_NATIVE  {  	int notify_pipe[2]; +	int null_fd = -1; +	char **childenv; +	struct argv_array argv = ARGV_ARRAY_INIT; +	struct child_err cerr; +	struct atfork_state as; +  	if (pipe(notify_pipe))  		notify_pipe[0] = notify_pipe[1] = -1; +	if (cmd->no_stdin || cmd->no_stdout || cmd->no_stderr) { +		null_fd = open("/dev/null", O_RDWR | O_CLOEXEC); +		if (null_fd < 0) +			die_errno(_("open /dev/null failed")); +		set_cloexec(null_fd); +	} + +	prepare_cmd(&argv, cmd); +	childenv = prep_childenv(cmd->env); +	atfork_prepare(&as); + +	/* +	 * NOTE: In order to prevent deadlocking when using threads special +	 * care should be taken with the function calls made in between the +	 * fork() and exec() calls.  No calls should be made to functions which +	 * require acquiring a lock (e.g. malloc) as the lock could have been +	 * held by another thread at the time of forking, causing the lock to +	 * never be released in the child process.  This means only +	 * Async-Signal-Safe functions are permitted in the child. +	 */  	cmd->pid = fork();  	failed_errno = errno;  	if (!cmd->pid) { +		int sig;  		/* -		 * Redirect the channel to write syscall error messages to -		 * before redirecting the process's stderr so that all die() -		 * in subsequent call paths use the parent's stderr. +		 * Ensure the default die/error/warn routines do not get +		 * called, they can take stdio locks and malloc.  		 */ -		if (cmd->no_stderr || need_err) { -			int child_err = dup(2); -			set_cloexec(child_err); -			set_error_handle(fdopen(child_err, "w")); -		} +		set_die_routine(child_die_fn); +		set_error_routine(child_error_fn); +		set_warn_routine(child_warn_fn);  		close(notify_pipe[0]);  		set_cloexec(notify_pipe[1]);  		child_notifier = notify_pipe[1]; -		atexit(notify_parent);  		if (cmd->no_stdin) -			dup_devnull(0); +			child_dup2(null_fd, 0);  		else if (need_in) { -			dup2(fdin[0], 0); -			close_pair(fdin); +			child_dup2(fdin[0], 0); +			child_close_pair(fdin);  		} else if (cmd->in) { -			dup2(cmd->in, 0); -			close(cmd->in); +			child_dup2(cmd->in, 0); +			child_close(cmd->in);  		}  		if (cmd->no_stderr) -			dup_devnull(2); +			child_dup2(null_fd, 2);  		else if (need_err) { -			dup2(fderr[1], 2); -			close_pair(fderr); +			child_dup2(fderr[1], 2); +			child_close_pair(fderr);  		} else if (cmd->err > 1) { -			dup2(cmd->err, 2); -			close(cmd->err); +			child_dup2(cmd->err, 2); +			child_close(cmd->err);  		}  		if (cmd->no_stdout) -			dup_devnull(1); +			child_dup2(null_fd, 1);  		else if (cmd->stdout_to_stderr) -			dup2(2, 1); +			child_dup2(2, 1);  		else if (need_out) { -			dup2(fdout[1], 1); -			close_pair(fdout); +			child_dup2(fdout[1], 1); +			child_close_pair(fdout);  		} else if (cmd->out > 1) { -			dup2(cmd->out, 1); -			close(cmd->out); +			child_dup2(cmd->out, 1); +			child_close(cmd->out);  		}  		if (cmd->dir && chdir(cmd->dir)) -			die_errno("exec '%s': cd to '%s' failed", cmd->argv[0], -			    cmd->dir); -		if (cmd->env) { -			for (; *cmd->env; cmd->env++) { -				if (strchr(*cmd->env, '=')) -					putenv((char *)*cmd->env); -				else -					unsetenv(*cmd->env); -			} +			child_die(CHILD_ERR_CHDIR); + +		/* +		 * restore default signal handlers here, in case +		 * we catch a signal right before execve below +		 */ +		for (sig = 1; sig < NSIG; sig++) { +			/* ignored signals get reset to SIG_DFL on execve */ +			if (signal(sig, SIG_DFL) == SIG_IGN) +				signal(sig, SIG_IGN);  		} -		if (cmd->git_cmd) -			execv_git_cmd(cmd->argv); -		else if (cmd->use_shell) -			execv_shell_cmd(cmd->argv); -		else -			sane_execvp(cmd->argv[0], (char *const*) cmd->argv); + +		if (sigprocmask(SIG_SETMASK, &as.old, NULL) != 0) +			child_die(CHILD_ERR_SIGPROCMASK); + +		/* +		 * Attempt to exec using the command and arguments starting at +		 * argv.argv[1].  argv.argv[0] contains SHELL_PATH which will +		 * be used in the event exec failed with ENOEXEC at which point +		 * we will try to interpret the command using 'sh'. +		 */ +		execve(argv.argv[1], (char *const *) argv.argv + 1, +		       (char *const *) childenv); +		if (errno == ENOEXEC) +			execve(argv.argv[0], (char *const *) argv.argv, +			       (char *const *) childenv); +  		if (errno == ENOENT) { -			if (!cmd->silent_exec_failure) -				error("cannot run %s: %s", cmd->argv[0], -					strerror(ENOENT)); -			exit(127); +			if (cmd->silent_exec_failure) +				child_die(CHILD_ERR_SILENT); +			child_die(CHILD_ERR_ENOENT);  		} else { -			die_errno("cannot exec '%s'", cmd->argv[0]); +			child_die(CHILD_ERR_ERRNO);  		}  	} +	atfork_parent(&as);  	if (cmd->pid < 0)  		error_errno("cannot fork() for %s", cmd->argv[0]);  	else if (cmd->clean_on_exit)  		mark_child_for_cleanup(cmd->pid, cmd);  	/* -	 * Wait for child's execvp. If the execvp succeeds (or if fork() +	 * Wait for child's exec. If the exec succeeds (or if fork()  	 * failed), EOF is seen immediately by the parent. Otherwise, the -	 * child process sends a single byte. +	 * child process sends a child_err struct.  	 * Note that use of this infrastructure is completely advisory,  	 * therefore, we keep error checks minimal.  	 */  	close(notify_pipe[1]); -	if (read(notify_pipe[0], ¬ify_pipe[1], 1) == 1) { +	if (xread(notify_pipe[0], &cerr, sizeof(cerr)) == sizeof(cerr)) {  		/* -		 * At this point we know that fork() succeeded, but execvp() +		 * At this point we know that fork() succeeded, but exec()  		 * failed. Errors have been reported to our stderr.  		 */  		wait_or_whine(cmd->pid, cmd->argv[0], 0); +		child_err_spew(cmd, &cerr);  		failed_errno = errno;  		cmd->pid = -1;  	}  	close(notify_pipe[0]); + +	if (null_fd >= 0) +		close(null_fd); +	argv_array_clear(&argv); +	free(childenv);  }  #else  { | 
