treewide: reject impossible user-supplied fd

These are all trusted user input, however this check reduces the likelihood of hard to debug errors.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/hakurei/parse.go

@@ -11,6 +11,7 @@ import (
 	"syscall"
 
 	"hakurei.app/hst"
+	"hakurei.app/internal/outcome"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
 )
@@ -53,14 +54,23 @@ func tryFd(msg message.Msg, name string) io.ReadCloser {
 		}
 		return nil
 	} else {
+		if v < 3 { // reject standard streams
+			return nil
+		}
+
 		msg.Verbosef("trying config stream from %d", v)
 		fd := uintptr(v)
 		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
-			if errors.Is(errno, syscall.EBADF) {
+			if errors.Is(errno, syscall.EBADF) { // reject bad fd
 				return nil
 			}
 			log.Fatalf("cannot get fd %d: %v", fd, errno)
 		}
+
+		if outcome.IsPollDescriptor(fd) { // reject runtime internals
+			log.Fatalf("invalid config stream %d", fd)
+		}
+
 		return os.NewFile(fd, strconv.Itoa(v))
 	}
 }

internal/outcome/main.go

@@ -4,13 +4,26 @@ import (
 	"context"
 	"log"
 	"time"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/hst"
 	"hakurei.app/message"
 )
 
+// IsPollDescriptor reports whether fd is the descriptor being used by the poller.
+//
+//go:linkname IsPollDescriptor internal/poll.IsPollDescriptor
+func IsPollDescriptor(fd uintptr) bool
+
 // Main runs an app according to [hst.Config] and terminates. Main does not return.
 func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
+	// avoids runtime internals or standard streams
+	if fd >= 0 {
+		if IsPollDescriptor(uintptr(fd)) || fd < 3 {
+			log.Fatalf("invalid identifier fd %d", fd)
+		}
+	}
+
 	var id hst.ID
 	if err := hst.NewInstanceID(&id); err != nil {
 		log.Fatal(err.Error())