From 4d07fc952d6bb5aa70b4bc9ff5e6457987f1721c Mon Sep 17 00:00:00 2001 From: Ayush Ranjan Date: Mon, 25 Oct 2021 13:43:37 -0700 Subject: Do not leak non-permission mode bits in mq_open(2). As caught by syzkaller, we were leaking non-permission bits while passing the user generated mode. DynamicBytesFile panics in this case. Reported-by: syzbot+5abe52d47d56a5a98c89@syzkaller.appspotmail.com PiperOrigin-RevId: 405481392 --- pkg/sentry/kernel/mq/mq.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'pkg/sentry/kernel') diff --git a/pkg/sentry/kernel/mq/mq.go b/pkg/sentry/kernel/mq/mq.go index 50ca6d34a..07482decf 100644 --- a/pkg/sentry/kernel/mq/mq.go +++ b/pkg/sentry/kernel/mq/mq.go @@ -122,7 +122,7 @@ type OpenOpts struct { // FindOrCreate creates a new POSIX message queue or opens an existing queue. // See mq_open(2). -func (r *Registry) FindOrCreate(ctx context.Context, opts OpenOpts, perm linux.FileMode, attr *linux.MqAttr) (*vfs.FileDescription, error) { +func (r *Registry) FindOrCreate(ctx context.Context, opts OpenOpts, mode linux.FileMode, attr *linux.MqAttr) (*vfs.FileDescription, error) { // mq_overview(7) mentions that: "Each message queue is identified by a name // of the form '/somename'", but the mq_open(3) man pages mention: // "The mq_open() library function is implemented on top of a system call @@ -182,11 +182,11 @@ func (r *Registry) FindOrCreate(ctx context.Context, opts OpenOpts, perm linux.F return nil, linuxerr.ENOENT } - q, err := r.newQueueLocked(auth.CredentialsFromContext(ctx), fs.FileOwnerFromContext(ctx), fs.FilePermsFromMode(perm), attr) + q, err := r.newQueueLocked(auth.CredentialsFromContext(ctx), fs.FileOwnerFromContext(ctx), fs.FilePermsFromMode(mode), attr) if err != nil { return nil, err } - return r.impl.New(ctx, opts.Name, q, opts.Access, opts.Block, perm, flags) + return r.impl.New(ctx, opts.Name, q, opts.Access, opts.Block, mode.Permissions(), flags) } // newQueueLocked creates a new queue using the given attributes. If attr is nil -- cgit v1.2.3