-
Notifications
You must be signed in to change notification settings - Fork 743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
named-pipes: fix receiving IOCP events after deregister #1760
Conversation
That issue number doesn't exist. Typo? |
It's a Tokio issue, I've added a link. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
match self.cp.as_ref().unwrap().post(completion_status) { | ||
Ok(_) => { | ||
// Increase the ref count of `Inner` for the completion event. | ||
mem::forget(me.clone()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: we could use Arc::increment_strong_count
, but I don't know if we use it anywhere else, if not it's ok to keep the current code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the style in the rest of the file. It probably should be updated in one go.
The minimal CI seems to fail with a proper error: |
Oh, I just noticed this target v0.8.x branch, can you change it to master? Then we can back port afterwards, that's how we usually do it. |
491593a
to
10ff21b
Compare
I rebased against master. |
This issue only applies to named pipes. #1755 appears to be related to TCP, so it would not be related. |
Security Advisory mio >= 0.7.2, <= 0.8.10 - tokio-rs/tokio#6369 - tokio-rs/mio#1760 - https://rustsec.org/advisories/RUSTSEC-2024-0019.html
Security Advisory mio >= 0.7.2, <= 0.8.10 - tokio-rs/tokio#6369 - tokio-rs/mio#1760 - https://rustsec.org/advisories/RUSTSEC-2024-0019.html
For tokio users: this is marked as fixing tokio-rs/tokio#6369 but I think it should not have been: tokio-rs/tokio#6369 (comment) |
For Tokio users, run |
### Description This is a part of #8809 Update mio from 0.8.8 to 0.8.11. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free. ### Connections [named-pipes: fix receiving IOCP events after deregister #1760](tokio-rs/mio#1760) [Windows Named pipes invalid memory access #6369](tokio-rs/tokio#6369) Release Notes: - N/A
There is a race condition with named pipes where it is possible to receive events for a named pipe after it has been deregistered with the selector. This is because named pipes use IOCP, and there is a path where it posts a raw event, and by the time that raw event is returned by the selector the user, the user could have deregistered the I/O resource.
The fix is to post the event while maintaining the association with the I/O resource. Then, before returning the event to the user, do a final check to ensure the I/O resource (named pipe) is still registered with the selector.
Fixes #6369