libcontainer: Bail on close(2) failures

Don't ignore close(2) return code, rather bail if there is any unexpected failures. By checking the close return code we make sure we don't introduce the same bug (closing an already closed fd) I've fixed in the previous patch. As a side note, we are not handling in this patch when close(2) returns EINTR and the go runtime, since go 1.14, sends SIGURG to preempt goroutines. This should not happen here though, as nsenter is guaranteed to be executed before the go runtime starts. Signed-off-by: Rodrigo Campos <[email protected]>
opencontainers · Jul 2, 2021 · 57eaa87 · 57eaa87
1 parent 7d479e6
commit 57eaa87
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
@@ -749,7 +749,9 @@ void nsexec(void)
 				bail("unable to spawn stage-1");
 
 			syncfd = sync_child_pipe[1];
-			close(sync_child_pipe[0]);
+			int r = close(sync_child_pipe[0]);
+			if (r == -1)
+				bail("Failed to close fd sync_child_pipe[0]");
 
 			/*
 			 * State machine for synchronisation with the children. We only
@@ -839,7 +841,10 @@ void nsexec(void)
 
 			/* Now sync with grandchild. */
 			syncfd = sync_grandchild_pipe[1];
-			close(sync_grandchild_pipe[0]);
+			r = close(sync_grandchild_pipe[0]);
+			if (r == -1)
+				bail("Failed to close fd sync_grandchild_pipe[0]");
+
 			write_log(DEBUG, "-> stage-2 synchronisation loop");
 			stage2_complete = false;
 			while (!stage2_complete) {
@@ -885,7 +890,9 @@ void nsexec(void)
 
 			/* We're in a child and thus need to tell the parent if we die. */
 			syncfd = sync_child_pipe[0];
-			close(sync_child_pipe[1]);
+			int r = close(sync_child_pipe[1]);
+			if (r == -1)
+				bail("failed to close sync_child_pipe[1]");
 
 			/* For debugging. */
 			prctl(PR_SET_NAME, (unsigned long)"runc:[1:CHILD]", 0, 0, 0);
@@ -1042,8 +1049,15 @@ void nsexec(void)
 
 			/* We're in a child and thus need to tell the parent if we die. */
 			syncfd = sync_grandchild_pipe[0];
-			close(sync_grandchild_pipe[1]);
-			close(sync_child_pipe[0]);
+			int r = close(sync_grandchild_pipe[1]);
+			if (r == -1) {
+				bail("failed to close sync_grandchild_pipe[1]");
+			}
+
+			r = close(sync_child_pipe[0]);
+			if (r == -1) {
+				bail("failed to close sync_child_pipe[0]");
+			}
 
 			/* For debugging. */
 			prctl(PR_SET_NAME, (unsigned long)"runc:[2:INIT]", 0, 0, 0);
@@ -1094,7 +1108,9 @@ void nsexec(void)
 				bail("failed to sync with patent: write(SYNC_CHILD_FINISH)");
 
 			/* Close sync pipes. */
-			close(sync_grandchild_pipe[0]);
+			r = close(sync_grandchild_pipe[0]);
+			if (r == -1)
+				bail("failed to close sync_grandchild_pipe[0]");
 
 			/* Free netlink data. */
 			nl_free(&config);