bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: port leak in select


From: Richard Braun
Subject: Re: port leak in select
Date: Fri, 2 Dec 2016 10:28:48 +0100
User-agent: Mutt/1.5.23 (2014-03-12)

On Fri, Dec 02, 2016 at 08:41:21AM +0100, Samuel Thibault wrote:
> About the port leak in select discussed on IRC, I checked history a bit,
> this (000ef460744786571f51604e6de631b7168e239a):
> 
> -      if (d[i].type)
> +      if (d[i].type & ~SELECT_ERROR)
>         __mach_port_destroy (__mach_task_self (), d[i].reply_port);
> 
> was added when handling EBADF , for which there is no reply port to
> destroy. Then I added this (099f8d2b7ecedc4f6fc895d2c35912f995289c24):

Indeed, so type != 0 doesn't imply port creation.

> I guess we could simply do this:
> 
>       for (i = firstfd; i <= lastfd; ++i)
> -             if (d[i].type & ~SELECT_ERROR)
> +             if (d[i].type & SELECT_ERROR)
> +               {
> +                 d[i].reply_port = MACH_PORT_NULL;
> +             }
>             else
>                 {
>                   int type = d[i].type;
>                   d[i].reply_port = __mach_reply_port ();
> 
> as well as in the error case of __io_select_request, and then just check
> against MACH_PORT_NULL before destroy.

So the condition would look like

if (d[i].type && (d[i].reply_port != MACH_PORT_NULL))

I agree.

In the mean time, I've built libc packages that partially fix the issue
(there will still be spurious destruction attempts on EBADF, which could
destroy a legitimate right) but the leak is so severe I found it useful.

If you want those, add

deb http://ftp.sceen.net/debian sid main

to sources.list, and add the GPG key D50E6AD4 to APT.

-- 
Richard Braun



reply via email to

[Prev in Thread] Current Thread [Next in Thread]