diff options
author | Rahat Mahmood <rahat@google.com> | 2021-09-14 16:47:05 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-09-14 16:53:30 -0700 |
commit | d6c99694bcb9a5e4ce50ff48d648ba6ada0b9687 (patch) | |
tree | c672e6d062a4e904368a8a8285c528e1b61046d6 | |
parent | 8d14edb14b6b757f049faf760c72d58616903d7a (diff) |
Fix race on msgrcv(MSG_COPY).
Previously, we weren't making a copy when a sysv message queue was
receiving a message with the MSG_COPY flag. This flag indicates the
message being received should be left in the queue and a copy of the
message should be returned to userspace. Without the copy, a racing
process can modify the original message while it's being marshalled to
user memory.
Reported-by: syzbot+cb15e644698b20ff4e17@syzkaller.appspotmail.com
PiperOrigin-RevId: 396712856
-rw-r--r-- | pkg/sentry/kernel/msgqueue/msgqueue.go | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/msgqueue/msgqueue.go b/pkg/sentry/kernel/msgqueue/msgqueue.go index 7c459d076..c7c5e41fb 100644 --- a/pkg/sentry/kernel/msgqueue/msgqueue.go +++ b/pkg/sentry/kernel/msgqueue/msgqueue.go @@ -129,6 +129,16 @@ type Message struct { Size uint64 } +func (m *Message) makeCopy() *Message { + new := &Message{ + Type: m.Type, + Size: m.Size, + } + new.Text = make([]byte, len(m.Text)) + copy(new.Text, m.Text) + return new +} + // Blocker is used for blocking Queue.Send, and Queue.Receive calls that serves // as an abstracted version of kernel.Task. kernel.Task is not directly used to // prevent circular dependencies. @@ -455,7 +465,7 @@ func (q *Queue) Copy(mType int64) (*Message, error) { if msg == nil { return nil, linuxerr.ENOMSG } - return msg, nil + return msg.makeCopy(), nil } // msgOfType returns the first message with the specified type, nil if no |