From e39ff055ba62ba67f876b234db99bfac81954a20 Mon Sep 17 00:00:00 2001 From: Norman Feske Date: Wed, 24 Apr 2013 14:10:15 +0200 Subject: [PATCH] base-linux: Fix use-after-free problem of ds fds Fixes #717 --- base-linux/src/core/include/core_linux_syscalls.h | 6 ++++++ base-linux/src/core/platform.cc | 11 ++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/base-linux/src/core/include/core_linux_syscalls.h b/base-linux/src/core/include/core_linux_syscalls.h index 6557979efe..488d032877 100644 --- a/base-linux/src/core/include/core_linux_syscalls.h +++ b/base-linux/src/core/include/core_linux_syscalls.h @@ -41,6 +41,12 @@ inline int lx_unlink(const char *fname) } +inline int lx_dup(int fd) +{ + return lx_syscall(SYS_dup, fd); +} + + /******************************************************* ** Functions used by core's rom-session support code ** *******************************************************/ diff --git a/base-linux/src/core/platform.cc b/base-linux/src/core/platform.cc index 35482bd29e..ece5041f37 100644 --- a/base-linux/src/core/platform.cc +++ b/base-linux/src/core/platform.cc @@ -216,7 +216,16 @@ int Platform_env_base::Rm_session_mmap::_dataspace_fd(Capability ds_c ds_rpc(core_env()->entrypoint()->lookup_and_lock(lx_ds_cap)); Linux_dataspace * ds = dynamic_cast(&*ds_rpc); - return ds ? ds->fd().dst().socket : -1; + /* + * Return a duplicate of the dataspace file descriptor, which will be freed + * immediately after mmap'ing the file (see 'Rm_session_mmap'). + * + * Handing out the original file descriptor would result in the premature + * release of the descriptor. So the descriptor could be reused (i.e., as a + * socket descriptor during the RPC handling). When later destroying the + * dataspace, the descriptor would unexpectedly be closed again. + */ + return ds ? lx_dup(ds->fd().dst().socket) : -1; }