From bdd46d40d96c4da6f2b98d4e1b2aa04ba5f5848e Mon Sep 17 00:00:00 2001 From: Samuel Thibault Date: Thu, 23 Apr 2015 01:42:49 +0200 Subject: Avoid accessing ip_protected_payload without the lock. * ipc/ipc_kmsg.c (ipc_kmsg_copyout_header): Avoid accessing dest->ip_protected_payload without the lock. * ipc/mach_msg.c (ipc/mach_msg.c): Avoid accessing dest_port->ip_protected_payload without the lock. --- ipc/ipc_kmsg.c | 21 ++++++++++++++------- ipc/mach_msg.c | 14 +++++++++++--- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/ipc/ipc_kmsg.c b/ipc/ipc_kmsg.c index 66643fd..c0f07dd 100644 --- a/ipc/ipc_kmsg.c +++ b/ipc/ipc_kmsg.c @@ -1766,6 +1766,7 @@ ipc_kmsg_copyout_header( case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND, 0): { mach_port_t dest_name; ipc_port_t nsrequest; + unsigned long payload; /* receiving an asynchronous message */ @@ -1784,6 +1785,7 @@ ipc_kmsg_copyout_header( dest_name = dest->ip_receiver_name; else dest_name = MACH_PORT_NULL; + payload = dest->ip_protected_payload; if ((--dest->ip_srights == 0) && ((nsrequest = dest->ip_nsrequest) != IP_NULL)) { @@ -1805,8 +1807,7 @@ ipc_kmsg_copyout_header( msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) | MACH_MSGH_BITS( 0, MACH_MSG_TYPE_PROTECTED_PAYLOAD)); - msg->msgh_protected_payload = - dest->ip_protected_payload; + msg->msgh_protected_payload = payload; } msg->msgh_remote_port = MACH_PORT_NULL; return MACH_MSG_SUCCESS; @@ -1820,6 +1821,7 @@ ipc_kmsg_copyout_header( ipc_port_t reply = (ipc_port_t) msg->msgh_local_port; mach_port_t dest_name, reply_name; ipc_port_t nsrequest; + unsigned long payload; /* receiving a request message */ @@ -1890,6 +1892,7 @@ ipc_kmsg_copyout_header( dest_name = dest->ip_receiver_name; else dest_name = MACH_PORT_NULL; + payload = dest->ip_protected_payload; if ((--dest->ip_srights == 0) && ((nsrequest = dest->ip_nsrequest) != IP_NULL)) { @@ -1912,8 +1915,7 @@ ipc_kmsg_copyout_header( msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) | MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, MACH_MSG_TYPE_PROTECTED_PAYLOAD)); - msg->msgh_protected_payload = - dest->ip_protected_payload; + msg->msgh_protected_payload = payload; } msg->msgh_remote_port = reply_name; return MACH_MSG_SUCCESS; @@ -1921,6 +1923,7 @@ ipc_kmsg_copyout_header( case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): { mach_port_t dest_name; + unsigned long payload; /* receiving a reply message */ @@ -1934,6 +1937,8 @@ ipc_kmsg_copyout_header( assert(dest->ip_sorights > 0); + payload = dest->ip_protected_payload; + if (dest->ip_receiver == space) { ip_release(dest); dest->ip_sorights--; @@ -1955,8 +1960,7 @@ ipc_kmsg_copyout_header( msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) | MACH_MSGH_BITS(0, MACH_MSG_TYPE_PROTECTED_PAYLOAD)); - msg->msgh_protected_payload = - dest->ip_protected_payload; + msg->msgh_protected_payload = payload; } msg->msgh_remote_port = MACH_PORT_NULL; return MACH_MSG_SUCCESS; @@ -1973,6 +1977,7 @@ ipc_kmsg_copyout_header( mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits); ipc_port_t reply = (ipc_port_t) msg->msgh_local_port; mach_port_t dest_name, reply_name; + unsigned long payload; if (IP_VALID(reply)) { ipc_port_t notify_port; @@ -2219,6 +2224,7 @@ ipc_kmsg_copyout_header( */ copyout_dest: + payload = dest->ip_protected_payload; if (ip_active(dest)) { ipc_object_copyout_dest(space, (ipc_object_t) dest, @@ -2255,8 +2261,9 @@ ipc_kmsg_copyout_header( msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) | MACH_MSGH_BITS(reply_type, MACH_MSG_TYPE_PROTECTED_PAYLOAD)); - msg->msgh_protected_payload = dest->ip_protected_payload; + msg->msgh_protected_payload = payload; } + msg->msgh_remote_port = reply_name; } diff --git a/ipc/mach_msg.c b/ipc/mach_msg.c index 1e122c7..aecfcd4 100644 --- a/ipc/mach_msg.c +++ b/ipc/mach_msg.c @@ -1041,6 +1041,7 @@ mach_msg_trap( ipc_port_t reply_port = (ipc_port_t) kmsg->ikm_header.msgh_local_port; mach_port_t dest_name, reply_name; + unsigned long payload; /* receiving a request message */ @@ -1115,6 +1116,7 @@ mach_msg_trap( dest_name = dest_port->ip_receiver_name; else dest_name = MACH_PORT_NULL; + payload = dest_port->ip_protected_payload; if ((--dest_port->ip_srights == 0) && (dest_port->ip_nsrequest != IP_NULL)) { @@ -1142,7 +1144,7 @@ mach_msg_trap( MACH_MSG_TYPE_PORT_SEND_ONCE, MACH_MSG_TYPE_PROTECTED_PAYLOAD); kmsg->ikm_header.msgh_protected_payload = - dest_port->ip_protected_payload; + payload; } kmsg->ikm_header.msgh_remote_port = reply_name; goto fast_put; @@ -1155,6 +1157,7 @@ mach_msg_trap( case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): { mach_port_t dest_name; + unsigned long payload; /* receiving a reply message */ @@ -1166,6 +1169,8 @@ mach_msg_trap( assert(dest_port->ip_sorights > 0); + payload = dest_port->ip_protected_payload; + if (dest_port->ip_receiver == space) { ip_release(dest_port); dest_port->ip_sorights--; @@ -1188,7 +1193,7 @@ mach_msg_trap( 0, MACH_MSG_TYPE_PROTECTED_PAYLOAD); kmsg->ikm_header.msgh_protected_payload = - dest_port->ip_protected_payload; + payload; } kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL; goto fast_put; @@ -1197,6 +1202,7 @@ mach_msg_trap( case MACH_MSGH_BITS_COMPLEX| MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): { mach_port_t dest_name; + unsigned long payload; /* receiving a complex reply message */ @@ -1208,6 +1214,8 @@ mach_msg_trap( assert(dest_port->ip_sorights > 0); + payload = dest_port->ip_protected_payload; + if (dest_port->ip_receiver == space) { ip_release(dest_port); dest_port->ip_sorights--; @@ -1234,7 +1242,7 @@ mach_msg_trap( 0, MACH_MSG_TYPE_PROTECTED_PAYLOAD); kmsg->ikm_header.msgh_protected_payload = - dest_port->ip_protected_payload; + payload; } kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL; -- cgit v1.2.3