Fix race in unix socket transport.

transport.baseEndpoint.receiver and transport.baseEndpoint.connected are
protected by transport.baseEndpoint.Mutex. In order to access them without
holding the mutex, we must make a copy.

Notifications must be sent without holding the mutex, so we need the values
without holding the mutex.

1 files changed, 7 insertions, 5 deletions

diff --git a/pkg/sentry/socket/unix/transport/unix.go b/pkg/sentry/socket/unix/transport/unix.go
index 359a5995b..089a0a647 100644
--- a/pkg/sentry/socket/unix/transport/unix.go
+++ b/pkg/sentry/socket/unix/transport/unix.go
@@ -816,19 +816,20 @@ func (e *baseEndpoint) Connected() bool {
 func (e *baseEndpoint) RecvMsg(ctx context.Context, data [][]byte, creds bool, numRights int, peek bool, addr *tcpip.FullAddress) (int64, int64, ControlMessages, bool, *syserr.Error) {
 	e.Lock()
 
-	if e.receiver == nil {
+	receiver := e.receiver
+	if receiver == nil {
 		e.Unlock()
 		return 0, 0, ControlMessages{}, false, syserr.ErrNotConnected
 	}
 
-	recvLen, msgLen, cms, cmt, a, notify, err := e.receiver.Recv(ctx, data, creds, numRights, peek)
+	recvLen, msgLen, cms, cmt, a, notify, err := receiver.Recv(ctx, data, creds, numRights, peek)
 	e.Unlock()
 	if err != nil {
 		return 0, 0, ControlMessages{}, false, err
 	}
 
 	if notify {
-		e.receiver.RecvNotify()
+		receiver.RecvNotify()
 	}
 
 	if addr != nil {
@@ -850,11 +851,12 @@ func (e *baseEndpoint) SendMsg(ctx context.Context, data [][]byte, c ControlMess
 		return 0, syserr.ErrAlreadyConnected
 	}
 
-	n, notify, err := e.connected.Send(ctx, data, c, tcpip.FullAddress{Addr: tcpip.Address(e.path)})
+	connected := e.connected
+	n, notify, err := connected.Send(ctx, data, c, tcpip.FullAddress{Addr: tcpip.Address(e.path)})
 	e.Unlock()
 
 	if notify {
-		e.connected.SendNotify()
+		connected.SendNotify()
 	}
 
 	return n, err