Fix race on msgrcv(MSG_COPY).
Previously, we weren't making a copy when a sysv message queue was receiving a message with the MSG_COPY flag. This flag indicates the message being received should be left in the queue and a copy of the message should be returned to userspace. Without the copy, a racing process can modify the original message while it's being marshalled to user memory. Reported-by: syzbot+cb15e644698b20ff4e17@syzkaller.appspotmail.com PiperOrigin-RevId: 396712856
This commit is contained in:
Rahat Mahmood
gVisor bot
parent
8d14edb14b
commit
d6c99694bc
|
|
@ -129,6 +129,16 @@ type Message struct {
|
|||
Size uint64
|
||||
}
|
||||
|
||||
func (m *Message) makeCopy() *Message {
|
||||
new := &Message{
|
||||
Type: m.Type,
|
||||
Size: m.Size,
|
||||
}
|
||||
new.Text = make([]byte, len(m.Text))
|
||||
copy(new.Text, m.Text)
|
||||
return new
|
||||
}
|
||||
|
||||
// Blocker is used for blocking Queue.Send, and Queue.Receive calls that serves
|
||||
// as an abstracted version of kernel.Task. kernel.Task is not directly used to
|
||||
// prevent circular dependencies.
|
||||
|
|
@ -455,7 +465,7 @@ func (q *Queue) Copy(mType int64) (*Message, error) {
|
|||
if msg == nil {
|
||||
return nil, linuxerr.ENOMSG
|
||||
}
|
||||
return msg, nil
|
||||
return msg.makeCopy(), nil
|
||||
}
|
||||
|
||||
// msgOfType returns the first message with the specified type, nil if no
|
||||
|
|
|
|||
Loading…
Reference in New Issue