From 7559a1be8a0afb10df41d25e4cf4c5285a5faef1 Mon Sep 17 00:00:00 2001 From: Patrick Reynolds Date: Thu, 18 Sep 2014 11:57:09 -0500 Subject: unblock and unignore SIGPIPE Blocked and ignored signals -- but not caught signals -- are inherited across exec. Some callers with sloppy signal-handling behavior can call git with SIGPIPE blocked or ignored, even non-deterministically. When SIGPIPE is blocked or ignored, several git commands can run indefinitely, ignoring EPIPE returns from write() calls, even when the process that called them has gone away. Our specific case involved a pipe of git diff-tree output to a script that reads a limited amount of diff data. In an ideal world, git would never be called with SIGPIPE blocked or ignored. But in the real world, several real potential callers, including Perl, Apache, and Unicorn, sometimes spawn subprocesses with SIGPIPE ignored. It is easier and more productive to harden git against this mistake than to clean it up in every potential parent process. Signed-off-by: Patrick Reynolds Signed-off-by: Junio C Hamano --- git.c | 22 ++++++++++++++++++++++ t/t0005-signals.sh | 22 ++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/git.c b/git.c index 9c49519831..bf4d41f0e6 100644 --- a/git.c +++ b/git.c @@ -592,6 +592,26 @@ static int run_argv(int *argcp, const char ***argv) return done_alias; } +/* + * Many parts of Git have subprograms communicate via pipe, expect the + * upstream of a pipe to die with SIGPIPE when the downstream of a + * pipe does not need to read all that is written. Some third-party + * programs that ignore or block SIGPIPE for their own reason forget + * to restore SIGPIPE handling to the default before spawning Git and + * break this carefully orchestrated machinery. + * + * Restore the way SIGPIPE is handled to default, which is what we + * expect. + */ +static void restore_sigpipe_to_default(void) +{ + sigset_t unblock; + + sigemptyset(&unblock); + sigaddset(&unblock, SIGPIPE); + sigprocmask(SIG_UNBLOCK, &unblock, NULL); + signal(SIGPIPE, SIG_DFL); +} int main(int argc, char **av) { @@ -611,6 +631,8 @@ int main(int argc, char **av) */ sanitize_stdfds(); + restore_sigpipe_to_default(); + git_setup_gettext(); trace_command_performance(argv); diff --git a/t/t0005-signals.sh b/t/t0005-signals.sh index 981437b3a8..638a355906 100755 --- a/t/t0005-signals.sh +++ b/t/t0005-signals.sh @@ -27,4 +27,26 @@ test_expect_success !MINGW 'signals are propagated using shell convention' ' test_expect_code 143 git sigterm ' +large_git () { + for i in $(test_seq 1 100) + do + git diff --cached --binary || return + done +} + +test_expect_success 'create blob' ' + test-genrandom foo 16384 >file && + git add file +' + +test_expect_success 'a constipated git dies with SIGPIPE' ' + OUT=$( ((large_git; echo $? 1>&3) | :) 3>&1 ) + test "$OUT" -eq 141 +' + +test_expect_success 'a constipated git dies with SIGPIPE even if parent ignores it' ' + OUT=$( ((trap "" PIPE; large_git; echo $? 1>&3) | :) 3>&1 ) + test "$OUT" -eq 141 +' + test_done -- cgit v1.2.3 From 4e6d207c45e6f5c13b38c4a200f0d3339f88ad34 Mon Sep 17 00:00:00 2001 From: Johannes Sixt Date: Mon, 22 Sep 2014 20:24:34 +0200 Subject: mingw.h: add dummy functions for sigset_t operations Windows does not have POSIX-like signals, and so we ignore all operations on the non-existent signal mask machinery. Do not turn sigemptyset into a function, but leave it a macro that erases the code in the argument because it is used to set sa_mask of a struct sigaction, but our dummy in mingw.h does not have that member. Signed-off-by: Johannes Sixt Signed-off-by: Junio C Hamano --- compat/mingw.h | 7 ++++++- t/t0005-signals.sh | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/compat/mingw.h b/compat/mingw.h index df0e3203ab..5e499cfb71 100644 --- a/compat/mingw.h +++ b/compat/mingw.h @@ -69,7 +69,6 @@ struct sigaction { sig_handler_t sa_handler; unsigned sa_flags; }; -#define sigemptyset(x) (void)0 #define SA_RESTART 0 struct itimerval { @@ -116,6 +115,12 @@ static inline int fcntl(int fd, int cmd, ...) } /* bash cannot reliably detect negative return codes as failure */ #define exit(code) exit((code) & 0xff) +#define sigemptyset(x) (void)0 +static inline int sigaddset(sigset_t *set, int signum) +{ return 0; } +#define SIG_UNBLOCK 0 +static inline int sigprocmask(int how, const sigset_t *set, sigset_t *oldset) +{ return 0; } /* * simple adaptors diff --git a/t/t0005-signals.sh b/t/t0005-signals.sh index 638a355906..aeea50c633 100755 --- a/t/t0005-signals.sh +++ b/t/t0005-signals.sh @@ -39,12 +39,12 @@ test_expect_success 'create blob' ' git add file ' -test_expect_success 'a constipated git dies with SIGPIPE' ' +test_expect_success !MINGW 'a constipated git dies with SIGPIPE' ' OUT=$( ((large_git; echo $? 1>&3) | :) 3>&1 ) test "$OUT" -eq 141 ' -test_expect_success 'a constipated git dies with SIGPIPE even if parent ignores it' ' +test_expect_success !MINGW 'a constipated git dies with SIGPIPE even if parent ignores it' ' OUT=$( ((trap "" PIPE; large_git; echo $? 1>&3) | :) 3>&1 ) test "$OUT" -eq 141 ' -- cgit v1.2.3