From 07d832dbb539e0bcca74800d09d0ea607d8173a3 Mon Sep 17 00:00:00 2001
From: Rahat Mahmood <rahat@google.com>
Date: Thu, 17 Sep 2020 23:35:43 -0700
Subject: fuse.DeviceFD needs to hold a reference on the associated filesystem.

This fixes a use-after-free in fuse.DeviceFD.Release.

PiperOrigin-RevId: 332394146
---
 pkg/sentry/fsimpl/fuse/dev.go    | 7 ++++++-
 pkg/sentry/fsimpl/fuse/fusefs.go | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

(limited to 'pkg/sentry/fsimpl/fuse')

diff --git a/pkg/sentry/fsimpl/fuse/dev.go b/pkg/sentry/fsimpl/fuse/dev.go
index 5539466ff..f690ef5ad 100644
--- a/pkg/sentry/fsimpl/fuse/dev.go
+++ b/pkg/sentry/fsimpl/fuse/dev.go
@@ -95,9 +95,14 @@ type DeviceFD struct {
 }
 
 // Release implements vfs.FileDescriptionImpl.Release.
-func (fd *DeviceFD) Release(context.Context) {
+func (fd *DeviceFD) Release(ctx context.Context) {
 	if fd.fs != nil {
+		fd.fs.conn.mu.Lock()
 		fd.fs.conn.connected = false
+		fd.fs.conn.mu.Unlock()
+
+		fd.fs.VFSFilesystem().DecRef(ctx)
+		fd.fs = nil
 	}
 }
 
diff --git a/pkg/sentry/fsimpl/fuse/fusefs.go b/pkg/sentry/fsimpl/fuse/fusefs.go
index f1ffd2343..8f37fd40c 100644
--- a/pkg/sentry/fsimpl/fuse/fusefs.go
+++ b/pkg/sentry/fsimpl/fuse/fusefs.go
@@ -218,6 +218,7 @@ func newFUSEFilesystem(ctx context.Context, devMinor uint32, opts *filesystemOpt
 		conn:     conn,
 	}
 
+	fs.VFSFilesystem().IncRef()
 	fuseFD.fs = fs
 
 	return fs, nil
-- 
cgit v1.2.3