cuda: don't leak fds to cuda-checkpoint

Leaking open file descriptors to third-party tools can lead to security risks. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
2025-08-22 01:51:51 +00:00 · 2024-07-08 16:53:39 +01:00 · 2024-07-08 16:53:39 +01:00 · fde0b7ac69
commit fde0b7ac69
parent 4dde52a308
3 changed files with 5 additions and 2 deletions
--- a/criu/include/util.h
+++ b/criu/include/util.h
@ -170,6 +170,7 @@ extern pid_t fork_and_ptrace_attach(int (*child_setup)(void));
 extern int cr_daemon(int nochdir, int noclose, int close_fd);
 extern int status_ready(void);
 extern int is_root_user(void);
+extern int close_fds(int minfd);

 extern int set_proc_self_fd(int fd);

--- a/criu/util.c
+++ b/criu/util.c
@ -524,7 +524,7 @@ int cr_close_range(unsigned int fd, unsigned int max_fd, unsigned int flags)
 	return syscall(__NR_close_range, fd, max_fd, flags);
 }

-static int close_fds(int minfd)
+int close_fds(int minfd)
 {
 	DIR *dir;
 	struct dirent *de;
--- a/plugins/cuda/cuda_plugin.c
+++ b/plugins/cuda/cuda_plugin.c
@ -115,7 +115,9 @@ static int launch_cuda_checkpoint(const char **args, char *buf, int buf_size)
 		if (dup2(fd[WRITE], STDERR_FILENO) == -1) {
 			return -1;
 		}
-		close(fd[READ]);
+
+		close_fds(STDERR_FILENO + 1);
+
 		return execvp(args[0], (char **)args);
 	} else { // parent
 		close(fd[WRITE]);