go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Do not leak non-permission mode bits in mq_open(2). 

As caught by syzkaller, we were leaking non-permission bits while passing the
user generated mode. DynamicBytesFile panics in this case.

Reported-by: syzbot+5abe52d47d56a5a98c89@syzkaller.appspotmail.com
PiperOrigin-RevId: 405481392
This commit is contained in:
Ayush Ranjan 2021-10-25 13:43:37 -07:00 committed by gVisor bot
parent a8a66d899f
commit 4d07fc952d
2 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/sentry/kernel/mq/mq.go
View File

@ -122,7 +122,7 @@ type OpenOpts struct {
// FindOrCreate creates a new POSIX message queue or opens an existing queue.
// See mq_open(2).
func (r *Registry) FindOrCreate(ctx context.Context, opts OpenOpts, perm linux.FileMode, attr *linux.MqAttr) (*vfs.FileDescription, error) {
func (r *Registry) FindOrCreate(ctx context.Context, opts OpenOpts, mode linux.FileMode, attr *linux.MqAttr) (*vfs.FileDescription, error) {
// mq_overview(7) mentions that: "Each message queue is identified by a name
// of the form '/somename'", but the mq_open(3) man pages mention:
// "The mq_open() library function is implemented on top of a system call
@ -182,11 +182,11 @@ func (r *Registry) FindOrCreate(ctx context.Context, opts OpenOpts, perm linux.F
return nil, linuxerr.ENOENT
}
q, err := r.newQueueLocked(auth.CredentialsFromContext(ctx), fs.FileOwnerFromContext(ctx), fs.FilePermsFromMode(perm), attr)
q, err := r.newQueueLocked(auth.CredentialsFromContext(ctx), fs.FileOwnerFromContext(ctx), fs.FilePermsFromMode(mode), attr)
if err != nil {
return nil, err
}
return r.impl.New(ctx, opts.Name, q, opts.Access, opts.Block, perm, flags)
return r.impl.New(ctx, opts.Name, q, opts.Access, opts.Block, mode.Permissions(), flags)
}
// newQueueLocked creates a new queue using the given attributes. If attr is nil

11
test/syscalls/linux/mq.cc
View File

@ -34,8 +34,6 @@ namespace gvisor {
namespace testing {
namespace {
using ::testing::_;
// PosixQueue is a RAII class used to automatically clean POSIX message queues.
class PosixQueue {
public:
@ -124,8 +122,13 @@ PosixError MqClose(mqd_t fd) {
// Test simple opening and closing of a message queue.
TEST(MqTest, Open) {
SKIP_IF(IsRunningWithVFS1());
EXPECT_THAT(MqOpen(O_RDWR | O_CREAT | O_EXCL, 0777, nullptr),
IsPosixErrorOkAndHolds(_));
ASSERT_NO_ERRNO(MqOpen(O_RDWR | O_CREAT | O_EXCL, 0777, nullptr));
}
TEST(MqTest, ModeWithFileType) {
SKIP_IF(IsRunningWithVFS1());
// S_IFIFO should be ignored.
ASSERT_NO_ERRNO(MqOpen(O_RDWR | O_CREAT | O_EXCL, 0777 | S_IFIFO, nullptr));
}
// Test mq_open(2) after mq_unlink(2).