URL:
<http://savannah.gnu.org/bugs/?48456>
Summary: mig-generated user code does not destroy invalid
reply
Project: The GNU Hurd
Submitted by: kon
Submitted on: Sun Jul 10 11:56:21 2016
Category: GNU MIG
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Reproducibility: Every Time
Size (loc): None
Planned Release: None
Effort: 0.00
Wiki-like text discussion box:
_______________________________________________________
Details:
If "user" code generated by MIG sends a request to a server and gets back a
reply that does not match the RPC definition, then it returns an error but
does not destroy the reply message. So if the reply carried any rights to
ports, then those rights will remain in the task. This could perhaps be used
for denial of service, if a long-lived process calls a less-trusted one.
The attached reply-leak.tar.gz demonstrates this bug. In it, a program first
forks and the child process then does an RPC to the parent once per second,
but the parent process replies with a message that has an unexpected msgh_id
and carries ten receive rights instead of the required data. In the child
process, MIG-generated code detects this mismatch and returns an error, which
the child process logs. The child process then checks how many port names it
has, and logs that value, which increases by ten per second. It should not
increase.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sun Jul 10 11:56:21 2016 Name: reply-leak.tar.gz Size: 2kB By: kon
test case
<http://savannah.gnu.org/bugs/download.php?file_id=37791>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?48456>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
