[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Fix copying in MACH_PORT_DEAD on x86_64
|
From: |
Samuel Thibault |
|
Subject: |
Re: [PATCH] Fix copying in MACH_PORT_DEAD on x86_64 |
|
Date: |
Sun, 18 Jun 2023 00:27:26 +0200 |
|
User-agent: |
NeoMutt/20170609 (1.8.3) |
Applied, thanks!
Sergey Bugaev, le jeu. 15 juin 2023 21:17:31 +0300, a ecrit:
> We need to properly convert MACH_PORT_NAME_DEAD (which is 32-bit -1)
> into IO_DEAD, which is 64-bit -1.
>
> To reproduce:
>
> $ portinfo -va 1
> (see the Mach crash trying to access a port at 0xffffffff)
> ---
> ipc/ipc_kmsg.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/ipc/ipc_kmsg.c b/ipc/ipc_kmsg.c
> index 1988da45..5012e607 100644
> --- a/ipc/ipc_kmsg.c
> +++ b/ipc/ipc_kmsg.c
> @@ -1447,8 +1447,10 @@ ipc_kmsg_copyin_body(
> mach_port_name_t port = ((mach_port_t*)data)[i];
> ipc_object_t object;
>
> - if (!MACH_PORT_NAME_VALID(port))
> + if (!MACH_PORT_NAME_VALID(port)) {
> + objects[i] =
> (ipc_object_t)invalid_name_to_port(port);
> continue;
> + }
>
> kr = ipc_object_copyin(space, port,
> name, &object);
> @@ -1465,9 +1467,6 @@ ipc_kmsg_copyin_body(
> kmsg->ikm_header.msgh_bits |=
> MACH_MSGH_BITS_CIRCULAR;
>
> - /* TODO: revisit this for 64 bits since the
> size of
> - * mach_port_name_t is not the same as a
> pointer size.
> - */
> objects[i] = object;
> }
>
> --
> 2.40.1
>
>
--
Samuel
---
Pour une évaluation indépendante, transparente et rigoureuse !
Je soutiens la Commission d'Évaluation de l'Inria.