[bug #49056] sending mach_port_kernel_object to non-task object crashes mach

[Kalle Olavi Niemitalo]

URL:
  <http://savannah.gnu.org/bugs/?49056>

                 Summary: sending mach_port_kernel_object to non-task object
crashes mach
                 Project: The GNU Hurd
            Submitted by: kon
            Submitted on: Sun Sep 11 08:01:37 2016
                Category: GNU Mach
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
         Reproducibility: Every Time
              Size (loc): None
         Planned Release: None
                  Effort: 0.00
Wiki-like text discussion box: 

    _______________________________________________________

Details:

If a process sends the mach_port_kernel_object request to a kernel object that
is not a task (can be a thread instead), then an assertion fails in debug
build of GNU Mach, and it drops to the kernel debugger.  In a non-debug build,
I think it would cause a null pointer dereference instead.

In <mach_debug/mach_debug.defs>, the first parameter of
mach_port_kernel_object is an ipc_space_t.  In <mach/mach_types.defs>, the
intran of ipc_space_t is 'ipc_space_t convert_port_to_space(mach_port_t)',
which is defined in kern/ipc_tt.c and returns IS_NULL if the port does not
refer to a task.  The mach_port_kernel_object function (defined in
ipc/mach_debug.c) then receives IS_NULL in its 'ipc_space_t space' parameter
and calls (via the ipc_right_lookup_read macro) the ipc_right_lookup_write
function (defined in ipc/ipc_right.c), which contains the assertion
'assert(space != IS_NULL);'.

To fix this, mach_port_kernel_object needs to check for 'space == IS_NULL'
itself and return KERN_INVALID_TASK, like mach_port_dnrequest_info already
does.

To reproduce the bug, boot up a debug build of GNU Mach, put the attached
lookup_kernel_object.c to some directory, and run:


mig /usr/include/mach_debug/mach_debug.defs
gcc lookup_kernel_object.c mach_debugUser.c
./a.out


In the console, the assertion failure then appears like this:


Assertion `space != IS_NULL' failed in file "../ipc/ipc_right.c", line 74
Debugger invoked: assertion failure
Kernel Breakpoint trap, eip 0x810200f4
Stopped at  Debugger+0x13:      int     $3
Debugger(810d9140,810d8ed5,810d8ec2,4a,c2c2cffc)+0x13
Assert(810d8ed5,810d8ec2,4a,80000001,0)+0x25
ipc_right_lookup_write(0,43,bbd01ee4,c2c2b000)+0x95
mach_port_kernel_object(0,43,c2c2b034,c2c2b03c,b9954948)+0x18
_Xmach_port_kernel_object(b8e8a010,c2c2b010,bbd01f60,c,43)+0x4a
ipc_kobject_server(b8e8a000,43,0,0)+0x92
mach_msg_trap(102dd30,3,20,30,73)+0x7c4
db> 
 




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Sun Sep 11 08:01:37 2016  Name: lookup_kernel_object.c  Size: 539B   By:
kon
repro
<http://savannah.gnu.org/bugs/download.php?file_id=38475>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?49056>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/