From 4cb4bd24862777f5066133b31051dd10c0a2d8a8 Mon Sep 17 00:00:00 2001 From: Luca Dariz Date: Wed, 12 Jun 2024 08:27:54 +0200 Subject: x86_64: fix msg size forwarding in case it's not set by userspace * ipc/copy_user.c: recent MIG stubs should always fill the size correctly in the msg header, but we shouldn't rely on that. Instead, we use the size that was correctly copied-in, overwriting the value in the header. This is already done by the 32-bit copyinmsg(), and was missing in the 64-bit version. Furthermore, the assertion about user/kernel size make sense with and without USER32, so take it out if the #ifdef. Message-ID: <20240612062755.116308-1-luca@orpolo.org> --- ipc/copy_user.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipc/copy_user.c b/ipc/copy_user.c index a4b238de..850ea49e 100644 --- a/ipc/copy_user.c +++ b/ipc/copy_user.c @@ -442,16 +442,18 @@ int copyinmsg (const void *userbuf, void *kernelbuf, const size_t usize, const s } kmsg->msgh_size = sizeof(mach_msg_header_t) + ksaddr - (vm_offset_t)(kmsg + 1); - assert(kmsg->msgh_size <= ksize); #else /* The 64 bit interface ensures the header is the same size, so it does not need any resizing. */ _Static_assert(sizeof(mach_msg_header_t) == sizeof(mach_msg_user_header_t), "mach_msg_header_t and mach_msg_user_header_t expected to be of the same size"); if (copyin(umsg, kmsg, usize)) return 1; + + kmsg->msgh_size = usize; kmsg->msgh_remote_port &= 0xFFFFFFFF; // FIXME: still have port names here kmsg->msgh_local_port &= 0xFFFFFFFF; // also, this assumes little-endian #endif + assert(kmsg->msgh_size <= ksize); return 0; } -- cgit v1.2.3