summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorRahat Mahmood <rahat@google.com>2021-09-14 16:47:05 -0700
committergVisor bot <gvisor-bot@google.com>2021-09-14 16:53:30 -0700
commitd6c99694bcb9a5e4ce50ff48d648ba6ada0b9687 (patch)
treec672e6d062a4e904368a8a8285c528e1b61046d6
parent8d14edb14b6b757f049faf760c72d58616903d7a (diff)
Fix race on msgrcv(MSG_COPY).
Previously, we weren't making a copy when a sysv message queue was receiving a message with the MSG_COPY flag. This flag indicates the message being received should be left in the queue and a copy of the message should be returned to userspace. Without the copy, a racing process can modify the original message while it's being marshalled to user memory. Reported-by: syzbot+cb15e644698b20ff4e17@syzkaller.appspotmail.com PiperOrigin-RevId: 396712856
-rw-r--r--pkg/sentry/kernel/msgqueue/msgqueue.go12
1 files changed, 11 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/msgqueue/msgqueue.go b/pkg/sentry/kernel/msgqueue/msgqueue.go
index 7c459d076..c7c5e41fb 100644
--- a/pkg/sentry/kernel/msgqueue/msgqueue.go
+++ b/pkg/sentry/kernel/msgqueue/msgqueue.go
@@ -129,6 +129,16 @@ type Message struct {
Size uint64
}
+func (m *Message) makeCopy() *Message {
+ new := &Message{
+ Type: m.Type,
+ Size: m.Size,
+ }
+ new.Text = make([]byte, len(m.Text))
+ copy(new.Text, m.Text)
+ return new
+}
+
// Blocker is used for blocking Queue.Send, and Queue.Receive calls that serves
// as an abstracted version of kernel.Task. kernel.Task is not directly used to
// prevent circular dependencies.
@@ -455,7 +465,7 @@ func (q *Queue) Copy(mType int64) (*Message, error) {
if msg == nil {
return nil, linuxerr.ENOMSG
}
- return msg, nil
+ return msg.makeCopy(), nil
}
// msgOfType returns the first message with the specified type, nil if no