diff options
| author | Sergey Bugaev <bugaevc@gmail.com> | 2021-05-30 13:16:30 +0300 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2022-08-10 22:17:08 +0200 |
| commit | b6c6e41a0d94740f4ecce9afdafa0c17348ce4c0 (patch) | |
| tree | 188a6fb3aa934a4ed7ea0f7cc685b09a58f69258 /libnetfs | |
| parent | 2e3a1e0f028ae5498d96a4a3618a3533e062d2eb (diff) | |
| download | hurd-b6c6e41a0d94740f4ecce9afdafa0c17348ce4c0.tar.gz hurd-b6c6e41a0d94740f4ecce9afdafa0c17348ce4c0.tar.bz2 hurd-b6c6e41a0d94740f4ecce9afdafa0c17348ce4c0.zip | |
libnetfs, libtrivs: Shield S_file_exec_paths () from cancellation
Here's the sequence of events that leads to a bug:
* A task calls file_exec_paths () on itself, holding the only send right to the
protid, passing EXEC_NEWTASK (or EXEC_SECURE, which implies it).
* S_file_exec_paths () calls exec_exec_paths ()
* The exec server sets up a new task and calls proc_reassign () or
proc_reauthenticate_reassign ().
* The proc server destroys the old task, and the only send right to the protid
with it.
* The translator gets a no-senders notification, which results in a
ports_interrupt_rpcs () call on the S_file_exec_paths ().
* This propagates to the exec server (and potentially proc and auth servers).
* The exec gets canceled, and the new task gets killed.
In my opinion, the party that seems most guilty is the translator canceling exec
upon receiving a no-senders notification for the protid. Normally, a no-senders
notification means that the caller is no longer interested in the RPC, but this
is not true in case of exec.
To work around this, create an additional send right to the protid.
Diffstat (limited to 'libnetfs')
| -rw-r--r-- | libnetfs/file-exec.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libnetfs/file-exec.c b/libnetfs/file-exec.c index 8ac0f892..f5d25099 100644 --- a/libnetfs/file-exec.c +++ b/libnetfs/file-exec.c @@ -91,7 +91,7 @@ netfs_S_file_exec_paths (struct protid *cred, gid_t gid; mode_t mode; int suid, sgid; - mach_port_t right; + mach_port_t right, cred_right; if (!cred) return EOPNOTSUPP; @@ -169,6 +169,7 @@ netfs_S_file_exec_paths (struct protid *cred, if (newpi) { right = ports_get_send_right (newpi); + cred_right = ports_get_send_right (cred); #ifdef HAVE_EXEC_EXEC_PATHS err = exec_exec_paths (_netfs_exec, right, MACH_MSG_TYPE_COPY_SEND, @@ -195,6 +196,7 @@ netfs_S_file_exec_paths (struct protid *cred, destroynames, destroynameslen); mach_port_deallocate (mach_task_self (), right); + mach_port_deallocate (mach_task_self (), cred_right); ports_port_deref (newpi); } else |