From d7e0104ae4da25f455630aae044adf165201c9b5 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Mon, 10 Nov 2025 20:31:26 +0900 Subject: [PATCH] treewide: reject impossible user-supplied fd These are all trusted user input, however this check reduces the likelihood of hard to debug errors. Signed-off-by: Ophestra --- cmd/hakurei/parse.go | 12 +++++++++++- internal/outcome/main.go | 13 +++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/cmd/hakurei/parse.go b/cmd/hakurei/parse.go index 5362fff..266eb47 100644 --- a/cmd/hakurei/parse.go +++ b/cmd/hakurei/parse.go @@ -11,6 +11,7 @@ import ( "syscall" "hakurei.app/hst" + "hakurei.app/internal/outcome" "hakurei.app/internal/store" "hakurei.app/message" ) @@ -53,14 +54,23 @@ func tryFd(msg message.Msg, name string) io.ReadCloser { } return nil } else { + if v < 3 { // reject standard streams + return nil + } + msg.Verbosef("trying config stream from %d", v) fd := uintptr(v) if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 { - if errors.Is(errno, syscall.EBADF) { + if errors.Is(errno, syscall.EBADF) { // reject bad fd return nil } log.Fatalf("cannot get fd %d: %v", fd, errno) } + + if outcome.IsPollDescriptor(fd) { // reject runtime internals + log.Fatalf("invalid config stream %d", fd) + } + return os.NewFile(fd, strconv.Itoa(v)) } } diff --git a/internal/outcome/main.go b/internal/outcome/main.go index a32d220..1f02faf 100644 --- a/internal/outcome/main.go +++ b/internal/outcome/main.go @@ -4,13 +4,26 @@ import ( "context" "log" "time" + _ "unsafe" // for go:linkname "hakurei.app/hst" "hakurei.app/message" ) +// IsPollDescriptor reports whether fd is the descriptor being used by the poller. +// +//go:linkname IsPollDescriptor internal/poll.IsPollDescriptor +func IsPollDescriptor(fd uintptr) bool + // Main runs an app according to [hst.Config] and terminates. Main does not return. func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) { + // avoids runtime internals or standard streams + if fd >= 0 { + if IsPollDescriptor(uintptr(fd)) || fd < 3 { + log.Fatalf("invalid identifier fd %d", fd) + } + } + var id hst.ID if err := hst.NewInstanceID(&id); err != nil { log.Fatal(err.Error())