From 46603b569c3ab20f45cf1b651d1fd3d2dda33243 Mon Sep 17 00:00:00 2001 From: Rahat Mahmood Date: Tue, 23 Oct 2018 14:17:47 -0700 Subject: Fix panic on creation of zero-len shm segments. Attempting to create a zero-len shm segment causes a panic since we try to allocate a zero-len filemem region. The existing code had a guard to disallow this, but the check didn't encode the fact that requesting a private segment implies a segment creation regardless of whether IPC_CREAT is explicitly specified. PiperOrigin-RevId: 218405743 Change-Id: I30aef1232b2125ebba50333a73352c2f907977da --- pkg/sentry/kernel/shm/shm.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'pkg') diff --git a/pkg/sentry/kernel/shm/shm.go b/pkg/sentry/kernel/shm/shm.go index 8d0d14e45..2feffe612 100644 --- a/pkg/sentry/kernel/shm/shm.go +++ b/pkg/sentry/kernel/shm/shm.go @@ -101,9 +101,12 @@ func (r *Registry) findByKey(key int32) *Shm { // FindOrCreate looks up or creates a segment in the registry. It's functionally // analogous to open(2). func (r *Registry) FindOrCreate(ctx context.Context, pid, key int32, size uint64, mode linux.FileMode, private, create, exclusive bool) (*Shm, error) { - if create && (size < linux.SHMMIN || size > linux.SHMMAX) { + if (create || private) && (size < linux.SHMMIN || size > linux.SHMMAX) { // "A new segment was to be created and size is less than SHMMIN or // greater than SHMMAX." - man shmget(2) + // + // Note that 'private' always implies the creation of a new segment + // whether IPC_CREAT is specified or not. return nil, syserror.EINVAL } -- cgit v1.2.3