URL:
<http://savannah.gnu.org/bugs/?49056>
Summary: sending mach_port_kernel_object to non-task object
crashes mach
Project: The GNU Hurd
Submitted by: kon
Submitted on: Sun Sep 11 08:01:37 2016
Category: GNU Mach
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Reproducibility: Every Time
Size (loc): None
Planned Release: None
Effort: 0.00
Wiki-like text discussion box:
_______________________________________________________
Details:
If a process sends the mach_port_kernel_object request to a kernel object that
is not a task (can be a thread instead), then an assertion fails in debug
build of GNU Mach, and it drops to the kernel debugger. In a non-debug build,
I think it would cause a null pointer dereference instead.
In <mach_debug/mach_debug.defs>, the first parameter of
mach_port_kernel_object is an ipc_space_t. In <mach/mach_types.defs>, the
intran of ipc_space_t is 'ipc_space_t convert_port_to_space(mach_port_t)',
which is defined in kern/ipc_tt.c and returns IS_NULL if the port does not
refer to a task. The mach_port_kernel_object function (defined in
ipc/mach_debug.c) then receives IS_NULL in its 'ipc_space_t space' parameter
and calls (via the ipc_right_lookup_read macro) the ipc_right_lookup_write
function (defined in ipc/ipc_right.c), which contains the assertion
'assert(space != IS_NULL);'.
To fix this, mach_port_kernel_object needs to check for 'space == IS_NULL'
itself and return KERN_INVALID_TASK, like mach_port_dnrequest_info already
does.
To reproduce the bug, boot up a debug build of GNU Mach, put the attached
lookup_kernel_object.c to some directory, and run:
mig /usr/include/mach_debug/mach_debug.defs
gcc lookup_kernel_object.c mach_debugUser.c
./a.out
In the console, the assertion failure then appears like this:
Assertion `space != IS_NULL' failed in file "../ipc/ipc_right.c", line 74
Debugger invoked: assertion failure
Kernel Breakpoint trap, eip 0x810200f4
Stopped at Debugger+0x13: int $3
Debugger(810d9140,810d8ed5,810d8ec2,4a,c2c2cffc)+0x13
Assert(810d8ed5,810d8ec2,4a,80000001,0)+0x25
ipc_right_lookup_write(0,43,bbd01ee4,c2c2b000)+0x95
mach_port_kernel_object(0,43,c2c2b034,c2c2b03c,b9954948)+0x18
_Xmach_port_kernel_object(b8e8a010,c2c2b010,bbd01f60,c,43)+0x4a
ipc_kobject_server(b8e8a000,43,0,0)+0x92
mach_msg_trap(102dd30,3,20,30,73)+0x7c4
db>
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sun Sep 11 08:01:37 2016 Name: lookup_kernel_object.c Size: 539B By:
kon
repro
<http://savannah.gnu.org/bugs/download.php?file_id=38475>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?49056>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
