Skip to content

vmm/builder: correctly handle invalid fd for serial console#570

Merged
jakecorrenti merged 1 commit intocontainers:mainfrom
d-e-s-o:topic/fix-panic
Mar 11, 2026
Merged

vmm/builder: correctly handle invalid fd for serial console#570
jakecorrenti merged 1 commit intocontainers:mainfrom
d-e-s-o:topic/fix-panic

Conversation

@d-e-s-o
Copy link
Copy Markdown
Contributor

@d-e-s-o d-e-s-o commented Mar 8, 2026

Commit bf3f2bf ("builder: set raw mode for ttys on serial devices") added support for raw for TTYs on serial devices, but didn't seem to take into account that the provided 'input_fd' may be invalid -- a condition supported by code below that checks for positive values. As a result, we may run into a panic as part of BorrowedFd::borrow_raw()'s sanity checks.
Fix this issue by moving code around slightly.

@slp
Copy link
Copy Markdown
Collaborator

slp commented Mar 10, 2026

/gemini review

Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly moves the serial console TTY setup logic inside the check for a valid file descriptor, preventing a panic when an invalid fd is provided. However, the implementation introduces a soundness issue by creating both a BorrowedFd and an owning File from the same raw file descriptor. This can lead to use-after-free bugs if not handled carefully. I've suggested a change to make the code safer by creating the File first and then borrowing from it, although this still relies on unsafe due to lifetime complexities.

Comment thread src/vmm/src/builder.rs Outdated
Commit bf3f2bf ("builder: set raw mode for ttys on serial
devices") added support for raw for TTYs on serial devices, but didn't
seem to take into account that the provided 'input_fd' may be invalid --
a condition supported by code below that checks for positive values. As
a result, we may run into a panic as part of BorrowedFd::borrow_raw()'s
sanity checks.
Fix this issue by massaging the code slightly.

Signed-off-by: Daniel Müller <deso@posteo.net>
Copy link
Copy Markdown
Collaborator

@mtjhrc mtjhrc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@jakecorrenti jakecorrenti merged commit 78318d0 into containers:main Mar 11, 2026
11 checks passed
@d-e-s-o d-e-s-o deleted the topic/fix-panic branch March 13, 2026 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants