PERFORCE change 92918 for review

Todd Miller millert at FreeBSD.org
Tue Mar 7 08:42:02 PST 2006 

http://perforce.freebsd.org/chv.cgi?CH=92918

Change 92918 by millert at millert_ibook on 2006/03/07 16:41:27

	Check to make sure the port is not dead before we use it.
	This fixes a race condition between label handle deallocation
	and user space requests using the label handle's port (such
	as mach_get_label_text).

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/mach_port.c#7 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/kern/security.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/mach_port.c#7 (text+ko) ====

@@ -1773,6 +1773,7 @@
 	ipc_port_t port;
 	struct label outl;
 	kern_return_t kr;
+	int dead;
 
 	if (!MACH_PORT_VALID(name))
 		return KERN_INVALID_NAME;
@@ -1782,10 +1783,16 @@
 	if (kr != KERN_SUCCESS)
 		return kr;
 
-	/* Make sure we are not dealing with a label handle. */
 	port = (ipc_port_t) entry->ie_object;
-	ip_lock(port);
+	dead = ipc_right_check(space, port, name, entry);
+	if (dead) {
+		is_write_unlock(space);
+		return KERN_INVALID_RIGHT;
+	}
+	/* port is now locked */
+
 	is_write_unlock(space);
+	/* Make sure we are not dealing with a label handle. */
 	if (ip_kotype(port) == IKOT_LABELH) {
 		/* already is a label handle! */
 		ip_unlock(port);
@@ -1813,6 +1820,7 @@
 	ipc_entry_t entry;
 	kern_return_t kr;
 	struct label *l;
+	int dead;
 
 	if (space == IS_NULL || space->is_task == NULL)
 		return KERN_INVALID_TASK;
@@ -1824,15 +1832,21 @@
 	if (kr != KERN_SUCCESS)
 		return kr;
 
-	io_lock(entry->ie_object);
-	is_write_unlock (space);
+	dead = ipc_right_check(space, entry->ie_object, name, entry);
+	if (dead) {
+		is_write_unlock(space);
+		return KERN_INVALID_RIGHT;
+	}
+	/* object (port) is now locked */
+
+	is_write_unlock(space);
 	l = io_getlabel(entry->ie_object);
 
-	mac_externalize_port_label (l, policies, outlabel, 512, 0);
+	mac_externalize_port_label(l, policies, outlabel, 512, 0);
 
 	io_unlocklabel(entry->ie_object);
-	io_unlock (entry->ie_object);
-	return 0;
+	io_unlock(entry->ie_object);
+	return KERN_SUCCESS;
 }
 
 kern_return_t

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/kern/security.c#7 (text+ko) ====

@@ -47,7 +47,7 @@
 	lh->lh_port->ip_srights++;
 	ip_reference(lh->lh_port);
 	ip_unlock(lh->lh_port);
-	kr = ipc_object_copyout(space, lh->lh_port,
+	kr = ipc_object_copyout(space, (ipc_object_t) lh->lh_port,
 	    MACH_MSG_TYPE_PORT_SEND, 0, outlabel);
 	if (kr != KERN_SUCCESS) {
 		ip_lock(lh->lh_port);
@@ -146,6 +146,7 @@
 	ipc_object_t  objp;
 	kern_return_t kr;
 	struct label  *objl;
+	int	      dead;
 
 	if (space == IS_NULL || space->is_task == NULL)
 		return KERN_INVALID_TASK;
@@ -166,6 +167,13 @@
 		return kr;
 	}
 
+	dead = ipc_right_check(space, entry->ie_object, obj, entry);
+	if (dead) {
+		is_write_unlock(space);
+		mac_destroy_task_label(&subjl);
+		return KERN_INVALID_RIGHT;
+	}
+
 	objp = entry->ie_object;
 	io_lock (objp);
 	is_write_unlock (space);

More information about the trustedbsd-cvs mailing list