avoid redundant close from calling mysql_close

Eric Wong · Eric Wong · commit 4e6769f72d92 · 2014-03-22T02:41:51.000Z
Calling close redundantly on an FD means a race condition will break
multithreaded applications (or worse, lead to inadvertant
information disclosure).  Consider the following multithreaded
timeline with two threads:

thread 1 (mysql2 close)          | thread 2 (blocking accept loop)
---------------------------------+----------------------------------
close(9) -&gt; fd=9 released        |
                                 | accept() -&gt; fd=9 acquired
mysql_close -&gt; close(9)          |
 # releases fd=9 which thread 2  |
 # just took using accept()      |
                                 | read(9) -&gt; EBADF!

We must prevent mysql_close from possibly hitting a recycled FD when
it calls close again.  So we redirect the existing FD to a dummy
socket (atomically closing the original FD/socket in the process).
This means mysql_close will call close on a valid FD, but that FD
now points to a dummy socket and not a valid FD.

I considered using socketpair (to ensure write/shutdown inside
mysql_close succeeds), but decided against it as there may be
a chance the client library will one day wait for a disconnect
message from the server.

Thanks to Evan Miller &lt;eam@frap.net&gt; for this idea.
diff --git a/ext/mysql2/client.c b/ext/mysql2/client.c
@@ -2,6 +2,7 @@
 
 #include <errno.h>
 #ifndef _WIN32
+#include <sys/types.h>
 #include <sys/socket.h>
 #endif
 #include <unistd.h>
@@ -162,24 +163,58 @@ static void *nogvl_connect(void *ptr) {
   return (void *)(client ? Qtrue : Qfalse);
 }
 
+#ifndef _WIN32
+/*
+ * Redirect clientfd to a dummy socket for mysql_close to
+ * write, shutdown, and close on as a no-op.
+ * We do this hack because we want to call mysql_close to release
+ * memory, but do not want mysql_close to drop connections in the
+ * parent if the socket got shared in fork.
+ * Returns Qtrue or false (success or failure)
+ */
+static VALUE invalidate_fd(int clientfd)
+{
+  /* TODO: set cloexec flags, atomically if possible */
+  int sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
+
+  if (sockfd < 0) {
+    /*
+     * Cannot raise here, because one or both of the following may be true:
+     * a) we have no GVL (in C Ruby)
+     * b) are running as a GC finalizer
+     */
+    return Qfalse;
+  }
+
+  dup2(sockfd, clientfd);
+  close(sockfd);
+
+  return Qtrue;
+}
+#endif /* _WIN32 */
+
 static void *nogvl_close(void *ptr) {
   mysql_client_wrapper *wrapper;
   wrapper = ptr;
   if (wrapper->connected) {
     wrapper->active_thread = Qnil;
     wrapper->connected = 0;
 #ifndef _WIN32
-    /* Call close() on the socket before calling mysql_close(). This prevents
+    /* Invalidate the socket before calling mysql_close(). This prevents
      * mysql_close() from sending a mysql-QUIT or from calling shutdown() on
-     * the socket. The difference is that close() will drop this process's
-     * reference to the socket only, while a QUIT or shutdown() would render
-     * the underlying connection unusable, interrupting other processes which
-     * share this object across a fork().
+     * the socket. The difference is that invalidate_fd will drop this
+     * process's reference to the socket only, while a QUIT or shutdown()
+     * would render the underlying connection unusable, interrupting other
+     * processes which share this object across a fork().
      */
-    close(wrapper->client->net.fd);
+    if (invalidate_fd(wrapper->client->net.fd) == Qfalse) {
+      fprintf(stderr, "[WARN] mysql2 failed to invalidate FD safely, leaking some memory\n");
+      close(wrapper->client->net.fd);
+      return NULL;
+    }
 #endif
 
-    mysql_close(wrapper->client);
+    mysql_close(wrapper->client); /* only used to free memory at this point */
   }
 
   return NULL;
