niansa-misc/musl
1
0
Fork 0
mirror of git://git.musl-libc.org/musl synced 2025-03-06 20:48:29 +01:00
Code Issues Projects Releases Packages Wiki Activity

mq_notify: rework to fix use-after-close/double-close bugs

Browse source 
in the error path where the mq_notify syscall fails, the initiating
thread may have closed the socket before the worker thread calls recv
on it. even in the absence of such a race, if the recv call failed,
e.g. due to seccomp policy blocking it, the worker thread could
proceed to close, producing a double-close condition.

this can all be simplified by moving the mq_notify syscall into the
new thread, so that the error case does not require pthread_cancel.
now, the initiating thread only needs to read back the error status
after waiting for the worker thread to consume its arguments.
This commit is contained in:
Rich Felker 2023-02-10 11:22:45 -05:00
parent fde6891e59
commit 8c0c9c69a1
1 changed files with 15 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
src/mq/mq_notify.c
View file

@ -10,6 +10,8 @@
struct args {
sem_t sem;
int sock;
mqd_t mqd;
int err;
const struct sigevent *sev;
};
@ -21,8 +23,18 @@ static void *start(void *p)
int s = args->sock;
void (*func)(union sigval) = args->sev->sigev_notify_function;
union sigval val = args->sev->sigev_value;
struct sigevent sev2;
static const char zeros[32];
int err;
sev2.sigev_notify = SIGEV_THREAD;
sev2.sigev_signo = s;
sev2.sigev_value.sival_ptr = (void *)&zeros;
args->err = err = -__syscall(SYS_mq_notify, args->mqd, &sev2);
sem_post(&args->sem);
if (err) return 0;
n = recv(s, buf, sizeof(buf), MSG_NOSIGNAL|MSG_WAITALL);
close(s);
if (n==sizeof buf && buf[sizeof buf - 1] == 1)
@ -36,8 +48,6 @@ int mq_notify(mqd_t mqd, const struct sigevent *sev)
pthread_attr_t attr;
pthread_t td;
int s;
struct sigevent sev2;
static const char zeros[32];
int cs;
if (!sev || sev->sigev_notify != SIGEV_THREAD)
@ -46,6 +56,7 @@ int mq_notify(mqd_t mqd, const struct sigevent *sev)
s = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, 0);
if (s < 0) return -1;
args.sock = s;
args.mqd = mqd;
if (sev->sigev_notify_attributes) attr = *sev->sigev_notify_attributes;
else pthread_attr_init(&attr);
@ -63,13 +74,9 @@ int mq_notify(mqd_t mqd, const struct sigevent *sev)
pthread_setcancelstate(cs, 0);
sem_destroy(&args.sem);
sev2.sigev_notify = SIGEV_THREAD;
sev2.sigev_signo = s;
sev2.sigev_value.sival_ptr = (void *)&zeros;
if (syscall(SYS_mq_notify, mqd, &sev2) < 0) {
pthread_cancel(td);
if (args.err) {
__syscall(SYS_close, s);
errno = args.err;
return -1;
}