perl: silent write error can lead to data loss, with patch

Automatically imported from Debian bug report #285435 http://bugs.debian.org/285435

Message-Id: <email address hidden>
Date: Mon, 13 Dec 2004 09:49:24 +0100
From: Jim Meyering <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: perl: silent write error can lead to data loss, with patch

Package: perl
Version: 5.8.4-5
Severity: grave
Tags: security patch
Justification: causes non-serious data loss

At first I hesitated to give this the `security' tag, but if you care
about security/reliability and write to a file, then you do want this fix.
And calling this a `grave' bug might be accurate, but only if you're
constantly writing to a nearly-full disk.

I reported this upstream a couple of weeks ago, but was surprised
by the total lack of response. Maybe you'll be more interested:

  http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2004-12/msg00072.html
  http://rt.perl.org/rt3/index.html?q=32745

Sometimes, closing a Perl file handle succeeds even though there have
been write errors via that handle. This bug appears to affect every
version of perl from 5.005_04 to 5.9.1. I didn't build/test versions
earlier than 5.005_04, but the doio.c:do_close function in 5.003 looks
like it has the same problem.

Here's a quick demo that depends on two things:
  - you have a /dev/full device (Linux, HPUX, MaxOS-X/Darwin)
  - 131072 is a multiple of your system's I/O buffer size

  perl -e 'print "x" x 131072; close STDOUT or die "$!\n"' \
    > /dev/full 2> /dev/null && echo fail || echo ok

It prints `fail' because at least one write system call failed and Perl's
`close' mistakenly succeeded. It would print `ok' for any size output
other than a multiple of the output buffer size. On the Linux systems
I've checked, that size is 4096. On a ppc/Darwin (7.5.0) system I tested,
the buffer size was 131072.

This means that if your Perl script happens to write precisely the
wrong number of bytes to a full or corrupted disk or to a closed file
descriptor, even if you dutifully check for success when closing the
file handle, the error will go undetected.

Here's another demo. Notice that it fails (as it should) for sizes
131071 and 131073, but not for output of size 131072.

  $ perl -e 'print "x" x 131071; close STDOUT or die "$!\n"' > /dev/full
  No space left on device
  [Exit 28]
  $ perl -e 'print "x" x 131072; close STDOUT or die "$!\n"' > /dev/full
  $ perl -e 'print "x" x 131073; close STDOUT or die "$!\n"' > /dev/full
  No space left on device
  [Exit 28]

After applying the patch below, the problematic case (with size being
a multiple of 4096 in my case), now fails, as it should:

  $ ./perl -e 'print "x" x 131072; close STDOUT or die "$!\n"' > /dev/full
  No space left on device
  [Exit 28]

On a Solaris 5.9 system, which lacks /dev/full, I demonstrated
the failure with the following small script that invokes perl with
stdout closed. All invocations of perl should evoke the
`Bad file number' error. But note that on some systems the
closed-stdout test succeeds (perl detects the error) even though
the write-to-/dev/full test fails.

    #!/bin/sh
    n=1024
    for i in 1 2 3 4 5 6; do
       echo $n
       perl -e 'print "x" x '$n'; close STDOUT or die "$!\n"' >&-
       n=...

Message-ID: <email address hidden>
Date: Mon, 13 Dec 2004 02:09:37 -0800
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: Re: Bug#285435: perl: silent write error can lead to data loss, with patch

tags 285435 - security
thanks

--
 - mdz

Message-Id: <email address hidden>
Date: Wed, 02 Feb 2005 10:17:16 -0500
From: Brendan O'Dea <email address hidden>
To: <email address hidden>
Subject: Bug#285435: fixed in perl 5.8.4-6

Source: perl
Source-Version: 5.8.4-6

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.4-6_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.4-6_all.deb
libperl-dev_5.8.4-6_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.4-6_i386.deb
libperl-dev_5.8.4-6_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-6_powerpc.deb
libperl-dev_5.8.4-6_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-6_sparc.deb
libperl5.8_5.8.4-6_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.4-6_i386.deb
libperl5.8_5.8.4-6_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-6_powerpc.deb
libperl5.8_5.8.4-6_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-6_sparc.deb
perl-base_5.8.4-6_i386.deb
  to pool/main/p/perl/perl-base_5.8.4-6_i386.deb
perl-base_5.8.4-6_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.4-6_powerpc.deb
perl-base_5.8.4-6_sparc.deb
  to pool/main/p/perl/perl-base_5.8.4-6_sparc.deb
perl-debug_5.8.4-6_i386.deb
  to pool/main/p/perl/perl-debug_5.8.4-6_i386.deb
perl-debug_5.8.4-6_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.4-6_powerpc.deb
perl-debug_5.8.4-6_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.4-6_sparc.deb
perl-doc_5.8.4-6_all.deb
  to pool/main/p/perl/perl-doc_5.8.4-6_all.deb
perl-modules_5.8.4-6_all.deb
  to pool/main/p/perl/perl-modules_5.8.4-6_all.deb
perl-suid_5.8.4-6_i386.deb
  to pool/main/p/perl/perl-suid_5.8.4-6_i386.deb
perl-suid_5.8.4-6_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.4-6_powerpc.deb
perl-suid_5.8.4-6_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.4-6_sparc.deb
perl_5.8.4-6.diff.gz
  to pool/main/p/perl/perl_5.8.4-6.diff.gz
perl_5.8.4-6.dsc
  to pool/main/p/perl/perl_5.8.4-6.dsc
perl_5.8.4-6_i386.deb
  to pool/main/p/perl/perl_5.8.4-6_i386.deb
perl_5.8.4-6_powerpc.deb
  to pool/main/p/perl/perl_5.8.4-6_powerpc.deb
perl_5.8.4-6_sparc.deb
  to pool/main/p/perl/perl_5.8.4-6_sparc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <email address hidden> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 2 Feb 2005 23:55:27 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc
Version: 5.8.4-6
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <email address hidden>
Changed-By: Brendan O'Dea <email address hidden>
Description:
 libperl-dev - Perl library: development files
 libperl5.8 - ...

5.8.4-6 synced from unstable