Fwd: Safety Against Memory Leaks in opendir()

From: Berne Campbell <berne.campbell_at_gmail.com>
Date: Fri, 10 Feb 2017 10:47:58 +1100

Hello,

I've been studying the documentation of S6. I see that s6-svscan has been
designed so that it can run as init (PID==1), and there's a note that most
opendir() implementations use malloc, so it may be possible to leak memory.

To protect against this I'm pondering to use suckless init (sinit) as PID
1, and have it spawn something supervising s6-svscan. My understanding is
that sinit won't be able to leak memory in userspace.

The problem I see is that s6-supervise also uses opendir() and so it's not
suitable to supervise s6-svscan.

If a suitable sinit -> supervisor -> s6-svscan chain could be made, it
takes a little extra memory and boot-up time, but should mean that if
opendir() leaks memory an s6-svscan dies, then the leaked memory will be
recovered and the supervisor could restart s6-svscan.

I think it would be worth the trade-off of always using a little extra
resources to get the extra protection. Does it seem wise? Am I overlooking
things or misunderstanding things?

If it makes a difference I plan to use musl libc.

Thanks,
Berne
Received on Thu Feb 09 2017 - 23:47:58 UTC