首頁 探索 說明
登入
hongwenjun
/
musl
镜像来自 https://git.musl-libc.org/git/musl
1
0
複刻 0
Files 問題管理 0 Wiki
瀏覽代碼

mq_notify: rework to fix use-after-close/double-close bugs

in the error path where the mq_notify syscall fails, the initiating
thread may have closed the socket before the worker thread calls recv
on it. even in the absence of such a race, if the recv call failed,
e.g. due to seccomp policy blocking it, the worker thread could
proceed to close, producing a double-close condition.

this can all be simplified by moving the mq_notify syscall into the
new thread, so that the error case does not require pthread_cancel.
now, the initiating thread only needs to read back the error status
after waiting for the worker thread to consume its arguments.
Rich Felker 2 年之前
父節點
fde6891e59
當前提交
8c0c9c69a1
共有 1 個文件被更改,包括 15 次插入8 次删除
分割檢視 顯示文件統計
  1. 15 8
      src/mq/mq_notify.c

+ 15 - 8
src/mq/mq_notify.c
查看文件 

@@ -10,6 +10,8 @@
 
 struct args {
 
 	sem_t sem;
 
 	int sock;
 
+	mqd_t mqd;
 
+	int err;
 
 	const struct sigevent *sev;
 
 };
 
 
@@ -21,8 +23,18 @@ static void *start(void *p)
 
 	int s = args->sock;
 
 	void (*func)(union sigval) = args->sev->sigev_notify_function;
 
 	union sigval val = args->sev->sigev_value;
 
+	struct sigevent sev2;
 
+	static const char zeros[32];
 
+	int err;
 
 
+	sev2.sigev_notify = SIGEV_THREAD;
 
+	sev2.sigev_signo = s;
 
+	sev2.sigev_value.sival_ptr = (void *)&zeros;
 
+
 
+	args->err = err = -__syscall(SYS_mq_notify, args->mqd, &sev2);
 
 	sem_post(&args->sem);
 
+	if (err) return 0;
 
+
 
 	n = recv(s, buf, sizeof(buf), MSG_NOSIGNAL|MSG_WAITALL);
 
 	close(s);
 
 	if (n==sizeof buf && buf[sizeof buf - 1] == 1)
 
@@ -36,8 +48,6 @@ int mq_notify(mqd_t mqd, const struct sigevent *sev)
 
 	pthread_attr_t attr;
 
 	pthread_t td;
 
 	int s;
 
-	struct sigevent sev2;
 
-	static const char zeros[32];
 
 	int cs;
 
 
 	if (!sev || sev->sigev_notify != SIGEV_THREAD)
 
@@ -46,6 +56,7 @@ int mq_notify(mqd_t mqd, const struct sigevent *sev)
 
 	s = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, 0);
 
 	if (s < 0) return -1;
 
 	args.sock = s;
 
+	args.mqd = mqd;
 
 
 	if (sev->sigev_notify_attributes) attr = *sev->sigev_notify_attributes;
 
 	else pthread_attr_init(&attr);
 
@@ -63,13 +74,9 @@ int mq_notify(mqd_t mqd, const struct sigevent *sev)
 
 	pthread_setcancelstate(cs, 0);
 
 	sem_destroy(&args.sem);
 
 
-	sev2.sigev_notify = SIGEV_THREAD;
 
-	sev2.sigev_signo = s;
 
-	sev2.sigev_value.sival_ptr = (void *)&zeros;
 
-
 
-	if (syscall(SYS_mq_notify, mqd, &sev2) < 0) {
 
-		pthread_cancel(td);
 
+	if (args.err) {
 
 		__syscall(SYS_close, s);
 
+		errno = args.err;
 
 		return -1;
 
 	}