fix(utils): retry fgetpwent_r() on EINTR

[jnovy]

The passwd entry lookup could fail spuriously when interrupted by a signal during iteration. The call is now retried when interrupted, consistent with standard practice for handling interruptible system calls.

Fixes: #2009

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a potential issue where user lookup operations could fail intermittently due to signal interruptions. By introducing a retry loop for the fgetpwent_r() function when an EINTR error is encountered, the change ensures that the system gracefully handles these temporary interruptions, leading to more reliable user information retrieval.

Highlights

• Error Handling: Implemented a retry mechanism for the fgetpwent_r() system call when it returns EINTR, ensuring robustness against spurious failures caused by signal interruptions during user lookup.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/libcrun/utils.c
  • Added a retry loop for fgetpwent_r() when EINTR is returned.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly fixes an issue where fgetpwent_r() could fail when interrupted by a signal by retrying on EINTR. The change is correct and follows standard practice. My review includes a suggestion to refactor the retry logic to make it more idiomatic and self-contained, which would improve code clarity.

[kolyshkin]

I think this is a fix to something that's not a bug; see #2009 (comment)

[jnovy]

@kolyshkin Thanks for the context. It is IMO a real bug in uncommon setups, imagine e.g. rootless containers setup with fuse-overlayfs. The FUSE read() can return EINTR because the kernel FUSE driver uses interruptible waits. The glibc's stdio layer does not retry on EINTR internally. So EINTR can propagate all the way up to fgetpwent_r's return value.

Does it make sense?

[giuseppe]

@kolyshkin I had a quick look at glibc and I don't seem to find any retry on EINTR. To confirm it, I've vibecoded a test case where read() is intercepted by seccomp to emulate EINTR and in fact, EINTR is propagated to the caller:

#define _GNU_SOURCE
#include <errno.h>
#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <pwd.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <unistd.h>

#if __x86_64__
#define AUDIT_ARCH_CURRENT AUDIT_ARCH_X86_64
#elif __aarch64__
#define AUDIT_ARCH_CURRENT AUDIT_ARCH_AARCH64
#else
#error "Unsupported architecture"
#endif

static unsigned long n_calls;

static int install_seccomp_filter(void) {
  struct sock_filter filter[] = {
      BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)),
      BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_CURRENT, 1, 0),
      BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
      BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
      BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_read, 0, 1),
      BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF),
      BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
  };

  struct sock_fprog prog = {
      .len = sizeof(filter) / sizeof(filter[0]),
      .filter = filter,
  };

  return syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
                 SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog);
}

/* Send an fd over a unix socket */
static int send_fd(int sock, int fd) {
  char buf = 0;
  struct iovec iov = {.iov_base = &buf, .iov_len = 1};
  union {
    struct cmsghdr hdr;
    char bytes[CMSG_SPACE(sizeof(int))];
  } cmsg_buf;

  struct msghdr msg = {
      .msg_iov = &iov,
      .msg_iovlen = 1,
      .msg_control = cmsg_buf.bytes,
      .msg_controllen = sizeof(cmsg_buf.bytes),
  };

  struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
  cmsg->cmsg_level = SOL_SOCKET;
  cmsg->cmsg_type = SCM_RIGHTS;
  cmsg->cmsg_len = CMSG_LEN(sizeof(int));
  memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));

  return sendmsg(sock, &msg, 0) >= 0 ? 0 : -1;
}

/* Receive an fd over a unix socket */
static int recv_fd(int sock) {
  char buf;
  struct iovec iov = {.iov_base = &buf, .iov_len = 1};
  union {
    struct cmsghdr hdr;
    char bytes[CMSG_SPACE(sizeof(int))];
  } cmsg_buf;

  struct msghdr msg = {
      .msg_iov = &iov,
      .msg_iovlen = 1,
      .msg_control = cmsg_buf.bytes,
      .msg_controllen = sizeof(cmsg_buf.bytes),
  };

  if (recvmsg(sock, &msg, 0) < 0)
    return -1;

  struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
  int fd;
  memcpy(&fd, CMSG_DATA(cmsg), sizeof(int));
  return fd;
}

static void run_child(int sock) {
  FILE *f = fopen("/etc/passwd", "r");
  if (!f) {
    perror("fopen");
    _exit(1);
  }

  /*
   * Install seccomp AFTER all setup is done (dynamic linker,
   * fopen, etc.), so only the fgetpwent_r reads are intercepted.
   */
  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    perror("prctl(NO_NEW_PRIVS)");
    _exit(1);
  }

  int notify_fd = install_seccomp_filter();
  if (notify_fd < 0) {
    perror("seccomp");
    _exit(1);
  }

  /* Pass the notify fd to the parent */
  send_fd(sock, notify_fd);
  close(notify_fd);
  close(sock);

  struct passwd pw;
  char buf[4096];
  struct passwd *result;
  int ret;
  int count = 0;

  while (1) {
    ret = fgetpwent_r(f, &pw, buf, sizeof(buf), &result);
    if (ret)
      break;
    count++;
    printf("%-20s uid=%-5u gid=%-5u home=%s shell=%s\n", pw.pw_name, pw.pw_uid,
           pw.pw_gid, pw.pw_dir, pw.pw_shell);
  }

  if (ret != 0 && ret != ENOENT)
    fprintf(stderr, "fgetpwent_r failed: %s (%d)\n", strerror(ret), ret);

  fprintf(stderr, "Total entries: %d\n", count);
  fclose(f);
  _exit(0);
}

static void run_supervisor(int notify_fd, pid_t child) {
  struct seccomp_notif_sizes sizes;

  if (syscall(__NR_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes)) {
    perror("seccomp(GET_NOTIF_SIZES)");
    return;
  }

  for (;;) {
    struct seccomp_notif *req = calloc(1, sizes.seccomp_notif);
    struct seccomp_notif_resp *resp = calloc(1, sizes.seccomp_notif_resp);

    if (ioctl(notify_fd, SECCOMP_IOCTL_NOTIF_RECV, req)) {
      free(req);
      free(resp);
      break;
    }

    resp->id = req->id;

    if (n_calls % 2 == 0) {
      resp->error = -EINTR;
      resp->val = 0;
      resp->flags = 0;
      fprintf(stderr, "[supervisor] read(fd=%d) call #%lu -> EINTR\n",
              (int)req->data.args[0], n_calls);
    } else {
      resp->error = 0;
      resp->val = 0;
      resp->flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
      fprintf(stderr, "[supervisor] read(fd=%d) call #%lu -> CONTINUE\n",
              (int)req->data.args[0], n_calls);
    }

    n_calls++;

    if (ioctl(notify_fd, SECCOMP_IOCTL_NOTIF_SEND, resp)) {
      if (errno != ENOENT)
        perror("NOTIF_SEND");
    }

    free(req);
    free(resp);
  }

  int status;
  waitpid(child, &status, 0);
  if (WIFEXITED(status))
    fprintf(stderr, "[supervisor] child exited with %d\n", WEXITSTATUS(status));
}

int main(void) {
  int sv[2];
  if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv)) {
    perror("socketpair");
    return 1;
  }

  pid_t pid = fork();
  if (pid < 0) {
    perror("fork");
    return 1;
  }

  if (pid == 0) {
    close(sv[0]);
    run_child(sv[1]);
    _exit(0);
  }

  close(sv[1]);

  int notify_fd = recv_fd(sv[0]);
  close(sv[0]);

  if (notify_fd < 0) {
    fprintf(stderr, "failed to receive notify fd\n");
    return 1;
  }

  run_supervisor(notify_fd, pid);
  close(notify_fd);
  return 0;
}

and then:

gcc -o eintr_seccomp eintr_seccomp.c && ./eintr_seccomp
[supervisor] read(fd=3) call #0 -> EINTR
fgetpwent_r failed: Interrupted system call (4)
Total entries: 0
[supervisor] child exited with 0

[giuseppe]

@jnovy could you please rebase?

[giuseppe]

LGTM,

but let's wait for @kolyshkin to chime in

[kolyshkin]

Oh well :( FWIW glibc docs say

The description of each primitive affected by this issue lists
‘EINTR’ among the error codes it can return.

and EINTR is listed for open/read/write/close etc., but not for e.g. getline/fgets
(although they don't list any other errors either).

OTOH it also says

One important exception is ‘EINTR’ (*note Interrupted Primitives::).
Many stream I/O implementations will treat it as an ordinary error,

I guess glibc implementation is among those "many".

Perhaps there are many other places that need retry-on-EINTR logic.

[kolyshkin]

LGTM

[kolyshkin]

@jnovy can you please rebase (to include #2044).