diff options
author | Zach Reizner <zachr@google.com> | 2020-05-06 12:37:30 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-05-07 22:59:35 +0000 |
commit | a1c0e3c680c44ae4a949744b27f3cf0f7ea77939 (patch) | |
tree | 7300cd789e9ce31f75672d9ad03b006732ed4417 /src | |
parent | a7237949da6d365957a04f99dc0b50c1ca1bed9b (diff) | |
download | crosvm-a1c0e3c680c44ae4a949744b27f3cf0f7ea77939.tar crosvm-a1c0e3c680c44ae4a949744b27f3cf0f7ea77939.tar.gz crosvm-a1c0e3c680c44ae4a949744b27f3cf0f7ea77939.tar.bz2 crosvm-a1c0e3c680c44ae4a949744b27f3cf0f7ea77939.tar.lz crosvm-a1c0e3c680c44ae4a949744b27f3cf0f7ea77939.tar.xz crosvm-a1c0e3c680c44ae4a949744b27f3cf0f7ea77939.tar.zst crosvm-a1c0e3c680c44ae4a949744b27f3cf0f7ea77939.zip |
remove instantes of using IntoRawFd in unsafe blocks
The trait IntoRawFd isn't marked unsafe, but its documentation says that an impl must return a uniquely owned RawFd. Some code blocks depended on that behavior to ensure safety with the unsafe File::from_raw_fd, but this leads to a soundness hole where a nominally safe impl of IntoRawFd can lead to unsafety in functions that had been left as safe. This change sidesteps the issue by not using IntoRawFd, and using only safe conversions instead. BUG=None TEST=cargo build --features='wl-dmabuf plugin' Change-Id: I9b357e5592be21189fb96e343823dd63000aac30 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2185580 Reviewed-by: Zach Reizner <zachr@chromium.org> Tested-by: Zach Reizner <zachr@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Commit-Queue: Zach Reizner <zachr@chromium.org> Auto-Submit: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugin/mod.rs | 6 | ||||
-rw-r--r-- | src/plugin/process.rs | 17 |
2 files changed, 13 insertions, 10 deletions
diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs index ae7e19c..470d5f0 100644 --- a/src/plugin/mod.rs +++ b/src/plugin/mod.rs @@ -8,7 +8,7 @@ mod vcpu; use std::fmt::{self, Display}; use std::fs::File; use std::io; -use std::os::unix::io::{AsRawFd, FromRawFd, IntoRawFd}; +use std::os::unix::io::{AsRawFd, FromRawFd}; use std::os::unix::net::UnixDatagram; use std::path::Path; use std::result; @@ -181,10 +181,6 @@ impl Display for Error { type Result<T> = result::Result<T, Error>; -fn downcast_file<F: IntoRawFd>(f: F) -> File { - unsafe { File::from_raw_fd(f.into_raw_fd()) } -} - fn new_seqpacket_pair() -> SysResult<(UnixDatagram, UnixDatagram)> { let mut fds = [0, 0]; unsafe { diff --git a/src/plugin/process.rs b/src/plugin/process.rs index 6f65f1d..783239a 100644 --- a/src/plugin/process.rs +++ b/src/plugin/process.rs @@ -7,7 +7,7 @@ use std::env::set_var; use std::fs::File; use std::io::Write; use std::mem::transmute; -use std::os::unix::io::{AsRawFd, RawFd}; +use std::os::unix::io::{IntoRawFd, RawFd}; use std::os::unix::net::UnixDatagram; use std::path::Path; use std::process::Command; @@ -346,7 +346,7 @@ impl Process { read_only: bool, dirty_log: bool, ) -> SysResult<()> { - let shm = SharedMemory::from_raw_fd(memfd)?; + let shm = SharedMemory::from_file(memfd)?; // Checking the seals ensures the plugin process won't shrink the mmapped file, causing us // to SIGBUS in the future. let seals = shm.get_seals()?; @@ -515,7 +515,14 @@ impl Process { let request = protobuf::parse_from_bytes::<MainRequest>(&self.request_buffer[..msg_size]) .map_err(Error::DecodeRequest)?; - let mut response_files = Vec::new(); + /// Use this to make it easier to stuff various kinds of File-like objects into the + /// `boxed_fds` list. + fn box_owned_fd<F: IntoRawFd + 'static>(f: F) -> Box<dyn IntoRawFd> { + Box::new(f) + } + + // This vec is used to extend ownership of certain FDs until the end of this function. + let mut boxed_fds = Vec::new(); let mut response_fds = Vec::new(); let mut response = MainResponse::new(); let res = if request.has_create() { @@ -557,7 +564,7 @@ impl Process { Ok(()) => { response_fds.push(evt.as_raw_fd()); response_fds.push(resample_evt.as_raw_fd()); - response_files.push(downcast_file(resample_evt)); + boxed_fds.push(box_owned_fd(resample_evt)); entry.insert(PluginObject::IrqEvent { irq_id: irq_event.irq_id, evt, @@ -586,7 +593,7 @@ impl Process { Ok((request_socket, child_socket)) => { self.request_sockets.push(request_socket); response_fds.push(child_socket.as_raw_fd()); - response_files.push(downcast_file(child_socket)); + boxed_fds.push(box_owned_fd(child_socket)); Ok(()) } Err(e) => Err(e), |