[CRIU] [PATCH] restorer/inotify: Don't overflow PIE stack

[Dmitry Safonov]

PATH_MAX == 4096; PATH_MAX*8 == 32k; RESTORE_STACK_SIZE == 32k.

Fixes: a3cdf948699c6 ("inotify: cleanup auxiliary events from queue")
Cc: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Cc: Andrei Vagin <avagin at gmail.com>
Co-debugged-with: Andrei Vagin <avagin at gmail.com>
Signed-off-by: Dmitry Safonov <dima at arista.com>
---
 criu/pie/restorer.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
index 390c0e1a9a03..dab58add6abb 100644
--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@@ -1320,21 +1320,23 @@ static int fd_poll(int inotify_fd)
 }
 
 /*
- * note: Actually kernel may want even more space for one event (see
- * round_event_name_len), so using buffer of EVENT_BUFF_SIZE size may fail.
- * To be on the safe side - take a bigger buffer, and these also allows to
- * read more events in one syscall.
+ * In the worst case buf size should be:
+ *   sizeof(struct inotify_event) * 2 + PATH_MAX
+ * See round_event_name_len() in kernel.
  */
-#define EVENT_BUFF_SIZE ((sizeof(struct inotify_event) + PATH_MAX))
+#define EVENT_BUFF_SIZE ((sizeof(struct inotify_event) * 2 + PATH_MAX))
 
 /*
  * Read all available events from inotify queue
  */
 static int cleanup_inotify_events(int inotify_fd)
 {
-	char buf[EVENT_BUFF_SIZE * 8];
+	char buf[EVENT_BUFF_SIZE * 3];
 	int ret;
 
+	/* Limit buf to be lesser than half of restorer's stack */
+	BUILD_BUG_ON(ARRAY_SIZE(buf) >= RESTORE_STACK_SIZE/2);
+
 	while (1) {
 		ret = fd_poll(inotify_fd);
 		if (ret < 0) {
-- 
2.23.0