[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnumach] 01/01: Add patch to fix unsafe protected payload access.
From: |
Samuel Thibault |
Subject: |
[gnumach] 01/01: Add patch to fix unsafe protected payload access. |
Date: |
Thu, 23 Apr 2015 00:09:19 +0000 |
This is an automated email from the git hooks/post-receive script.
sthibault pushed a commit to branch master
in repository gnumach.
commit 978f9aae735dd645adfdd273eebf51ad4b2dadd4
Author: Samuel Thibault <address@hidden>
Date: Wed Apr 22 23:47:19 2015 +0000
Add patch to fix unsafe protected payload access.
---
debian/changelog | 7 +
debian/patches/git-payload-unsafe-access.patch | 202 +++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 210 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 47b5442..8443b3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gnumach (2:1.4+git20150409-2) unstable; urgency=medium
+
+ * patches/git-payload-unsafe-access.patch: Add patch to fix unsafe protected
+ payload access.
+
+ -- Samuel Thibault <address@hidden> Fri, 17 Apr 2015 01:17:34 +0000
+
gnumach (2:1.4+git20150409-1) unstable; urgency=medium
* New upstream snapshot.
diff --git a/debian/patches/git-payload-unsafe-access.patch
b/debian/patches/git-payload-unsafe-access.patch
new file mode 100644
index 0000000..cb46d24
--- /dev/null
+++ b/debian/patches/git-payload-unsafe-access.patch
@@ -0,0 +1,202 @@
+commit bdd46d40d96c4da6f2b98d4e1b2aa04ba5f5848e
+Author: Samuel Thibault <address@hidden>
+Date: Thu Apr 23 01:42:49 2015 +0200
+
+ Avoid accessing ip_protected_payload without the lock.
+
+ * ipc/ipc_kmsg.c (ipc_kmsg_copyout_header): Avoid accessing
+ dest->ip_protected_payload without the lock.
+ * ipc/mach_msg.c (ipc/mach_msg.c): Avoid accessing
+ dest_port->ip_protected_payload without the lock.
+
+diff --git a/ipc/ipc_kmsg.c b/ipc/ipc_kmsg.c
+index 66643fd..c0f07dd 100644
+--- a/ipc/ipc_kmsg.c
++++ b/ipc/ipc_kmsg.c
+@@ -1766,6 +1766,7 @@ ipc_kmsg_copyout_header(
+ case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND, 0): {
+ mach_port_t dest_name;
+ ipc_port_t nsrequest;
++ unsigned long payload;
+
+ /* receiving an asynchronous message */
+
+@@ -1784,6 +1785,7 @@ ipc_kmsg_copyout_header(
+ dest_name = dest->ip_receiver_name;
+ else
+ dest_name = MACH_PORT_NULL;
++ payload = dest->ip_protected_payload;
+
+ if ((--dest->ip_srights == 0) &&
+ ((nsrequest = dest->ip_nsrequest) != IP_NULL)) {
+@@ -1805,8 +1807,7 @@ ipc_kmsg_copyout_header(
+ msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
+ MACH_MSGH_BITS(
+ 0, MACH_MSG_TYPE_PROTECTED_PAYLOAD));
+- msg->msgh_protected_payload =
+- dest->ip_protected_payload;
++ msg->msgh_protected_payload = payload;
+ }
+ msg->msgh_remote_port = MACH_PORT_NULL;
+ return MACH_MSG_SUCCESS;
+@@ -1820,6 +1821,7 @@ ipc_kmsg_copyout_header(
+ ipc_port_t reply = (ipc_port_t) msg->msgh_local_port;
+ mach_port_t dest_name, reply_name;
+ ipc_port_t nsrequest;
++ unsigned long payload;
+
+ /* receiving a request message */
+
+@@ -1890,6 +1892,7 @@ ipc_kmsg_copyout_header(
+ dest_name = dest->ip_receiver_name;
+ else
+ dest_name = MACH_PORT_NULL;
++ payload = dest->ip_protected_payload;
+
+ if ((--dest->ip_srights == 0) &&
+ ((nsrequest = dest->ip_nsrequest) != IP_NULL)) {
+@@ -1912,8 +1915,7 @@ ipc_kmsg_copyout_header(
+ msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
+ MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE,
+ MACH_MSG_TYPE_PROTECTED_PAYLOAD));
+- msg->msgh_protected_payload =
+- dest->ip_protected_payload;
++ msg->msgh_protected_payload = payload;
+ }
+ msg->msgh_remote_port = reply_name;
+ return MACH_MSG_SUCCESS;
+@@ -1921,6 +1923,7 @@ ipc_kmsg_copyout_header(
+
+ case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): {
+ mach_port_t dest_name;
++ unsigned long payload;
+
+ /* receiving a reply message */
+
+@@ -1934,6 +1937,8 @@ ipc_kmsg_copyout_header(
+
+ assert(dest->ip_sorights > 0);
+
++ payload = dest->ip_protected_payload;
++
+ if (dest->ip_receiver == space) {
+ ip_release(dest);
+ dest->ip_sorights--;
+@@ -1955,8 +1960,7 @@ ipc_kmsg_copyout_header(
+ msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
+ MACH_MSGH_BITS(0,
+ MACH_MSG_TYPE_PROTECTED_PAYLOAD));
+- msg->msgh_protected_payload =
+- dest->ip_protected_payload;
++ msg->msgh_protected_payload = payload;
+ }
+ msg->msgh_remote_port = MACH_PORT_NULL;
+ return MACH_MSG_SUCCESS;
+@@ -1973,6 +1977,7 @@ ipc_kmsg_copyout_header(
+ mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits);
+ ipc_port_t reply = (ipc_port_t) msg->msgh_local_port;
+ mach_port_t dest_name, reply_name;
++ unsigned long payload;
+
+ if (IP_VALID(reply)) {
+ ipc_port_t notify_port;
+@@ -2219,6 +2224,7 @@ ipc_kmsg_copyout_header(
+ */
+
+ copyout_dest:
++ payload = dest->ip_protected_payload;
+
+ if (ip_active(dest)) {
+ ipc_object_copyout_dest(space, (ipc_object_t) dest,
+@@ -2255,8 +2261,9 @@ ipc_kmsg_copyout_header(
+ msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
+ MACH_MSGH_BITS(reply_type,
+ MACH_MSG_TYPE_PROTECTED_PAYLOAD));
+- msg->msgh_protected_payload = dest->ip_protected_payload;
++ msg->msgh_protected_payload = payload;
+ }
++
+ msg->msgh_remote_port = reply_name;
+ }
+
+diff --git a/ipc/mach_msg.c b/ipc/mach_msg.c
+index 1e122c7..aecfcd4 100644
+--- a/ipc/mach_msg.c
++++ b/ipc/mach_msg.c
+@@ -1041,6 +1041,7 @@ mach_msg_trap(
+ ipc_port_t reply_port =
+ (ipc_port_t) kmsg->ikm_header.msgh_local_port;
+ mach_port_t dest_name, reply_name;
++ unsigned long payload;
+
+ /* receiving a request message */
+
+@@ -1115,6 +1116,7 @@ mach_msg_trap(
+ dest_name = dest_port->ip_receiver_name;
+ else
+ dest_name = MACH_PORT_NULL;
++ payload = dest_port->ip_protected_payload;
+
+ if ((--dest_port->ip_srights == 0) &&
+ (dest_port->ip_nsrequest != IP_NULL)) {
+@@ -1142,7 +1144,7 @@ mach_msg_trap(
+ MACH_MSG_TYPE_PORT_SEND_ONCE,
+ MACH_MSG_TYPE_PROTECTED_PAYLOAD);
+ kmsg->ikm_header.msgh_protected_payload =
+- dest_port->ip_protected_payload;
++ payload;
+ }
+ kmsg->ikm_header.msgh_remote_port = reply_name;
+ goto fast_put;
+@@ -1155,6 +1157,7 @@ mach_msg_trap(
+
+ case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): {
+ mach_port_t dest_name;
++ unsigned long payload;
+
+ /* receiving a reply message */
+
+@@ -1166,6 +1169,8 @@ mach_msg_trap(
+
+ assert(dest_port->ip_sorights > 0);
+
++ payload = dest_port->ip_protected_payload;
++
+ if (dest_port->ip_receiver == space) {
+ ip_release(dest_port);
+ dest_port->ip_sorights--;
+@@ -1188,7 +1193,7 @@ mach_msg_trap(
+ 0,
+ MACH_MSG_TYPE_PROTECTED_PAYLOAD);
+ kmsg->ikm_header.msgh_protected_payload =
+- dest_port->ip_protected_payload;
++ payload;
+ }
+ kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL;
+ goto fast_put;
+@@ -1197,6 +1202,7 @@ mach_msg_trap(
+ case MACH_MSGH_BITS_COMPLEX|
+ MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): {
+ mach_port_t dest_name;
++ unsigned long payload;
+
+ /* receiving a complex reply message */
+
+@@ -1208,6 +1214,8 @@ mach_msg_trap(
+
+ assert(dest_port->ip_sorights > 0);
+
++ payload = dest_port->ip_protected_payload;
++
+ if (dest_port->ip_receiver == space) {
+ ip_release(dest_port);
+ dest_port->ip_sorights--;
+@@ -1234,7 +1242,7 @@ mach_msg_trap(
+ 0,
+ MACH_MSG_TYPE_PROTECTED_PAYLOAD);
+ kmsg->ikm_header.msgh_protected_payload =
+- dest_port->ip_protected_payload;
++ payload;
+ }
+ kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL;
+
diff --git a/debian/patches/series b/debian/patches/series
index a95f927..1124e86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
50_initrd.patch
60_bigmem.patch
70_dde.patch
+git-payload-unsafe-access.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-hurd/gnumach.git