From 2dd6384de89a866bddb9184b8d7ab85b5b8f7100 Mon Sep 17 00:00:00 2001 From: Jamie Liu Date: Tue, 14 Apr 2020 14:40:08 -0700 Subject: Fix cleanup around socketpair() failure to copy out FDs. - Use the fs.File, rather than the vfs.FileDescription, in the VFS1 version. - Check for a nil fs.File/vfs.FileDescription before calling DecRef, which is possible if a racing dup2() or dup3() replaces the file descriptor between when it is installed and when it is returned. (This is not possible in Linux because Linux separates allocation of a file descriptor from binding an allocated file descriptor to a struct file, and dup2/dup3 return EBUSY if asked to replace an allocated but unbound file descriptor.) PiperOrigin-RevId: 306517101 --- pkg/sentry/syscalls/linux/sys_socket.go | 5 +++-- pkg/sentry/syscalls/linux/vfs2/socket.go | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'pkg') diff --git a/pkg/sentry/syscalls/linux/sys_socket.go b/pkg/sentry/syscalls/linux/sys_socket.go index 61b2576ac..0760af77b 100644 --- a/pkg/sentry/syscalls/linux/sys_socket.go +++ b/pkg/sentry/syscalls/linux/sys_socket.go @@ -247,8 +247,9 @@ func SocketPair(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sy // Copy the file descriptors out. if _, err := t.CopyOut(socks, fds); err != nil { for _, fd := range fds { - _, file := t.FDTable().Remove(fd) - file.DecRef() + if file, _ := t.FDTable().Remove(fd); file != nil { + file.DecRef() + } } return 0, nil, err } diff --git a/pkg/sentry/syscalls/linux/vfs2/socket.go b/pkg/sentry/syscalls/linux/vfs2/socket.go index 79a4a7ada..b1ede32f0 100644 --- a/pkg/sentry/syscalls/linux/vfs2/socket.go +++ b/pkg/sentry/syscalls/linux/vfs2/socket.go @@ -250,8 +250,9 @@ func SocketPair(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sy if _, err := t.CopyOut(addr, fds); err != nil { for _, fd := range fds { - _, file := t.FDTable().Remove(fd) - file.DecRef() + if _, file := t.FDTable().Remove(fd); file != nil { + file.DecRef() + } } return 0, nil, err } -- cgit v1.2.3