From 2e6195ffe0ad452b2137c32d635d890c9d872e8d Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@google.com>
Date: Thu, 24 Jun 2021 15:33:26 -0700
Subject: CreateProcessGroup has to check whether a target process stil exists
 or not

A caller of CreateProcessGroup looks up a thread group without locks, so
the target process can exit before CreateProcessGroup will be called.

Reported-by: syzbot+6abb7c34663dacbd55a8@syzkaller.appspotmail.com
PiperOrigin-RevId: 381351069
---
 pkg/sentry/kernel/sessions.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'pkg/sentry/kernel/sessions.go')

diff --git a/pkg/sentry/kernel/sessions.go b/pkg/sentry/kernel/sessions.go
index ca9076406..973d708a3 100644
--- a/pkg/sentry/kernel/sessions.go
+++ b/pkg/sentry/kernel/sessions.go
@@ -369,6 +369,11 @@ func (tg *ThreadGroup) CreateProcessGroup() error {
 	// Get the ID for this thread in the current namespace.
 	id := tg.pidns.tgids[tg]
 
+	// Check whether a process still exists or not.
+	if id == 0 {
+		return syserror.ESRCH
+	}
+
 	// Per above, check for a Session leader or existing group.
 	for s := tg.pidns.owner.sessions.Front(); s != nil; s = s.Next() {
 		if s.leader.pidns != tg.pidns {
-- 
cgit v1.2.3