<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/59326>59326</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
ASAN and TSAN introduce unwanted shell execution in posix_spawn on glibc Linux
</td>
</tr>
<tr>
<th>Labels</th>
<td>
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
ridiculousfish
</td>
</tr>
</table>
<pre>
When using `posix_spawn` under ASAN or TSAN, files that fail to execute will be retried as scripts using `/bin/sh`, on glibc Linux.
`posix_spawn` in glibc used to have a feature such that, if the child-side `exec` call fails with `ENOEXEC`, it would "retry" by passing the argument to `/bin/sh`. This feature was removed as default in 2011 ([see here](https://sourceware.org/bugzilla/show_bug.cgi?id=13134)), now requiring the explicit flag `SPAWN_XFLAGS_TRY_SHELL`. However both ASAN and TSAN somehow set that flag, causing this unwanted `/bin/sh` execution.
The most likely reason is that the interceptor is calling [the compatibility version](https://github.com/lattera/glibc/blob/895ef79e04a953cac1493863bcae29ad85657ee1/posix/spawn.c#L38) of `posix_spawn` instead of the modern one.
To reproduce, on GNU Linux:
1. Create a "shebangless script":
echo 'echo I should not run' > ./file
chmod a+x ./file
2. Compile and run the following C code as `clang spawn.c`:
#include <spawn.h>
#include <stdio.h>
#include <errno.h>
extern char **environ;
int main(int argc, char *argv[]) {
pid_t pid = 0;
char arg[] = "./file";
char *const args[] = {arg, NULL};
int ret = posix_spawn(&pid, arg, NULL, NULL, args, environ);
if (ret == 0) {
printf("Got pid: %d\n", pid);
} else {
perror("posix_spawn");
}
return 0;
}
This prints `posix_spawn: Exec format error` as expected, as the script does not have a shebang.
Now retry with ASAN: `clang -fsanitize=address spawn.c`, and the script will run. It should not run.
I bisected this to e1240745ef958b575e12fd80bd99ce5a7a347e2c, and confirmed the bug is still present on main (059a23c0f01fd6e5bcef0e403d8108a761ad66f5.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyEVk1z4jwS_jXi0hXKljHYBw4EwrxTlcpubTI1s6eULLVt7QrJqw8g8-u3JEMCGWbeVMrGdnc__fF0t5hzstOIS1Lek3IzYcH3xi6tFJIHZYJrpesnjRFvy-89aghO6g7IPBuMk8dXN7CDJvMMghZoYfW8egJj4eV59UToGlqp0IHvmYeWSQXeAB6RB49wkEpBg2DRW4kCgDlw3MrBuw8QQreN1IRuXZ-e1mA0dEo2HB6lDscpyTYkW52uvzglz8LBoYjgPdsjMGiR-WARXOB98i5ali34HoH3Uok7JwVGB6K30RJnSqUQHByk7-Onh6d_PPx4WJ_8kh4OJigBhNIY0huhFJo3GGKCdZdMM9uFHWofPfkluCm89NK9u3ZgDizuzB5FzIzAlgXlY0Q0y3MgtCLlvUOEHi2SckNo1Xs_OFKsCN1GoyZYjgdmcWpsF7FC91MqxRKgObw2oZvyTpJiKwUpNnmRFzNC6_S_Bm0OYPF_Qdqz93gclOTSQ6tYKs7zP1ffn15_bB9XX55fX_7179fnvx4eH1Mof5kD7tFCY3w_koJpkVgBzuywNwdw6E_EUKyLiJyFU6akg6APTHsUv-bpRCBp9FXxX3qEnXEelPwvqjewyJzRIE_siwFI7dFyHLyx8X0saaJZeZ_qbnYD87KRSvo32KN10uhbie2k70Mz5WZH6FYx79HGnCaiRVeVaQjdVnWJ7aLGbMbqsuCM57O6qOZFwxnSmomqnJcLxJzQbSJtDC_SdsoJLR6LitAaTHuj0aR2HpmIH32KWaDVYDRep8OAxcEaETie2ubL07exaWIkF6L5FNYWmY-NQSh1PTZMdwrduR8Jpe8qcPq7fkLeGyB0ke5fwfWpE7TxYIMmdAGkeIApods4D65Veb8zAhih98dPEuOVTmFtdoNUmChkg05ht0Ypc4jlWwM3AmOPkHnGFdMdnBM5z37nN6GF1FyF2OTFepTvSfHwSfhaygtp_lYKrdWXUp8SdfSxWrxnFghdEbpCvZfWaFLc35KX2sOORfJX8SezHU-tctJnttuPczvShSzur7UBBilefbwCKTaQvaN8SCRTzHajmSRGKH2vRCz9bR1CV9xol5xyl9qL-2iOruHp2-MjWWxuGIixWPRJ_pLetCJ0PkgRtS-NXNwTGl3DOW-0vmW_jQPyhDBGfjs_pyxZqX2b0OkXk_JFikiSUpByrWMS6Dq9vYlGFhtA5fAPAGitsSPAVbz0txZPryz6YPWNyn2IXBI7rZAUjvs8OooVPByRQ2vsjnkYPZpnsXHwOCD3OKbdpf4aOx-EQZf6-LQ4T8PhatQ8pU3h7du4GeO0T9k7d-Nd65iWXv5EUmyYEDZNlo8WjaBaXKKmo4ENegpf_adhcoX8FRrpkufj0oini5zOssWsxLYuq6ZclJjTVlRZI-qaY8kWrJgtkPIzKje6lXaHI34TurgZnI8ODBZdXNZGpxaMjMrKmtGCZ22Wt2KOZcOxzXCWFaLKs4ot5jkT83lbTidiWYi6qNkEl_l8keXZjFbZpF82ddXOillWVqwuS8xqUeW0bJq6ZDPGkU_kkmaU5jQraF7mNJvmOOeLRvCqqLNZjozMMtwxqaZK7XdxtU-kcwGXZV3Q-USxBpU7H-bsMgrdNaFzZJYp6bz7UPPSK1xeL2ep_bgzPhaw61Gpj6UbTyAXtPp0HpsEq5Z_Wpdqf77dDdb8B7kndJsCcIRuUwz_DwAA___9jC4t">