From fde0b7ac69c5b604fc8745341d16d2a494674cbc Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <rstoyanov@fedoraproject.org>
Date: Mon, 8 Jul 2024 16:53:39 +0100
Subject: [PATCH] cuda: don't leak fds to cuda-checkpoint

Leaking open file descriptors to third-party tools can lead
to security risks.

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
---
 criu/include/util.h        | 1 +
 criu/util.c                | 2 +-
 plugins/cuda/cuda_plugin.c | 4 +++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/criu/include/util.h b/criu/include/util.h
index 9037dc9e6..435469e1e 100644
--- a/criu/include/util.h
+++ b/criu/include/util.h
@@ -170,6 +170,7 @@ extern pid_t fork_and_ptrace_attach(int (*child_setup)(void));
 extern int cr_daemon(int nochdir, int noclose, int close_fd);
 extern int status_ready(void);
 extern int is_root_user(void);
+extern int close_fds(int minfd);
 
 extern int set_proc_self_fd(int fd);
 
diff --git a/criu/util.c b/criu/util.c
index d74c2aeef..7dfa1fe42 100644
--- a/criu/util.c
+++ b/criu/util.c
@@ -524,7 +524,7 @@ int cr_close_range(unsigned int fd, unsigned int max_fd, unsigned int flags)
 	return syscall(__NR_close_range, fd, max_fd, flags);
 }
 
-static int close_fds(int minfd)
+int close_fds(int minfd)
 {
 	DIR *dir;
 	struct dirent *de;
diff --git a/plugins/cuda/cuda_plugin.c b/plugins/cuda/cuda_plugin.c
index f16c4c505..e44b4d007 100644
--- a/plugins/cuda/cuda_plugin.c
+++ b/plugins/cuda/cuda_plugin.c
@@ -115,7 +115,9 @@ static int launch_cuda_checkpoint(const char **args, char *buf, int buf_size)
 		if (dup2(fd[WRITE], STDERR_FILENO) == -1) {
 			return -1;
 		}
-		close(fd[READ]);
+
+		close_fds(STDERR_FILENO + 1);
+
 		return execvp(args[0], (char **)args);
 	} else { // parent
 		close(fd[WRITE]);