memfd: don't corrupt a state of the dumped fd

Right now, criu uses a dumped fd to dump content of a memfd "file". Here are two reasons why we should not do this: * a state of a dumped fd doesn't have to be changed, but now criu calls lseek on it. This can be workarounded by using pread. * a dumped descriptor can be write-only. Reported-by: Mr Jenkins Cc: Nicolas Viennot <Nicolas.Viennot@twosigma.com> Signed-off-by: Andrei Vagin <avagin@gmail.com>
checkpoint-restore · Mar 27, 2020 · fce196d · fce196d
1 parent ffe0896
commit fce196d
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/criu/memfd.c b/criu/memfd.c
@@ -119,6 +119,7 @@ static int dump_memfd_inode(int fd, struct memfd_inode *inode,
 static struct memfd_inode *dump_unique_memfd_inode(int lfd, const char *name, const struct stat *st)
 {
 	struct memfd_inode *inode;
+	int fd;
 
 	list_for_each_entry(inode, &memfd_inodes, list)
 		if ((inode->dev == st->st_dev) && (inode->ino == st->st_ino))
@@ -132,10 +133,18 @@ static struct memfd_inode *dump_unique_memfd_inode(int lfd, const char *name, co
 	inode->ino = st->st_ino;
 	inode->id = memfd_inode_ids++;
 
-	if (dump_memfd_inode(lfd, inode, name, st)) {
+	fd = open_proc(PROC_SELF, "fd/%d", lfd);
+	if (fd < 0) {
+		xfree(inode);
+		return NULL;
+	}
+
+	if (dump_memfd_inode(fd, inode, name, st)) {
+		close(fd);
 		xfree(inode);
 		return NULL;
 	}
+	close(fd);
 
 	list_add_tail(&inode->list, &memfd_inodes);