Cygwin: Try to fix potential data corruption in pipe write

* fhandler.cc (fhandler_base_overlapped::raw_write): When performing nonblocking I/O, copy user space data into own buffer. Add longish comment to explain why. * fhandler.h (fhandler_base_overlapped::atomic_write_buf): New member. (fhandler_base_overlapped::fhandler_base_overlapped): Initialize atomic_write_buf. (fhandler_base_overlapped::fhandler_base_overlapped): New destructor, free'ing atomic_write_buf. (fhandler_base_overlapped::copyto): Set atomic_write_buf to NULL in copied fhandler. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-15 12:30:09 +02:00
parent 36d500e425
commit 344860a104
4 changed files with 66 additions and 1 deletions
--- a/winsup/cygwin/fhandler.h
+++ b/winsup/cygwin/fhandler.h
@ -661,6 +661,7 @@ protected:
  OVERLAPPED io_status;
  OVERLAPPED *overlapped;
  size_t max_atomic_write;
+  void *atomic_write_buf;
 public:
  wait_return __reg3 wait_overlapped (bool, bool, DWORD *, bool, DWORD = 0);
  int __reg1 setup_overlapped ();
@ -670,7 +671,7 @@ public:
  OVERLAPPED *&get_overlapped () {return overlapped;}
  OVERLAPPED *get_overlapped_buffer () {return &io_status;}
  void set_overlapped (OVERLAPPED *ov) {overlapped = ov;}
-  fhandler_base_overlapped (): io_pending (false), overlapped (NULL), max_atomic_write (0)
+  fhandler_base_overlapped (): io_pending (false), overlapped (NULL), max_atomic_write (0), atomic_write_buf (NULL)
  {
    memset (&io_status, 0, sizeof io_status);
  }
@ -686,11 +687,17 @@ public:
  static void __reg1 flush_all_async_io ();;

  fhandler_base_overlapped (void *) {}
+  ~fhandler_base_overlapped ()
+  {
+    if (atomic_write_buf)
+      cfree (atomic_write_buf);
+  }

  virtual void copyto (fhandler_base *x)
  {
    x->pc.free_strings ();
    *reinterpret_cast<fhandler_base_overlapped *> (x) = *this;
+    reinterpret_cast<fhandler_base_overlapped *> (x)->atomic_write_buf = NULL;
    x->reset (this);
  }