From c4c6a71fb9d5ed51d0e9e2d6a78eaabf96174849 Mon Sep 17 00:00:00 2001 From: Chong Cai Date: Mon, 12 Apr 2021 15:24:49 -0700 Subject: Add DecRef for verity FDs that were missing Some FileDescriptions in verity fs were opened but DecRef() were missing after used. This could result in a ref leak. PiperOrigin-RevId: 368096759 --- pkg/sentry/fsimpl/verity/filesystem.go | 4 ++++ pkg/sentry/fsimpl/verity/verity.go | 2 ++ 2 files changed, 6 insertions(+) (limited to 'pkg/sentry') diff --git a/pkg/sentry/fsimpl/verity/filesystem.go b/pkg/sentry/fsimpl/verity/filesystem.go index b14a7e863..e1dde5ced 100644 --- a/pkg/sentry/fsimpl/verity/filesystem.go +++ b/pkg/sentry/fsimpl/verity/filesystem.go @@ -229,6 +229,8 @@ func (fs *filesystem) verifyChildLocked(ctx context.Context, parent *dentry, chi return nil, err } + defer parentMerkleFD.DecRef(ctx) + // dataSize is the size of raw data for the Merkle tree. For a file, // dataSize is the size of the whole file. For a directory, dataSize is // the size of all its children's hashes. @@ -337,6 +339,8 @@ func (fs *filesystem) verifyStatAndChildrenLocked(ctx context.Context, d *dentry return err } + defer fd.DecRef(ctx) + merkleSize, err := fd.GetXattr(ctx, &vfs.GetXattrOptions{ Name: merkleSizeXattr, Size: sizeOfStringInt32, diff --git a/pkg/sentry/fsimpl/verity/verity.go b/pkg/sentry/fsimpl/verity/verity.go index 06f2c211c..6b1bfaba3 100644 --- a/pkg/sentry/fsimpl/verity/verity.go +++ b/pkg/sentry/fsimpl/verity/verity.go @@ -494,6 +494,8 @@ func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.Virt return nil, nil, err } + defer lowerMerkleFD.DecRef(ctx) + childrenNames := make([]byte, size) if _, err := lowerMerkleFD.PRead(ctx, usermem.BytesIOSequence(childrenNames), int64(off), vfs.ReadOptions{}); err != nil { return nil, nil, alertIntegrityViolation(fmt.Sprintf("Failed to read root children map: %v", err)) -- cgit v1.2.3