From ed7f24debd15745f9e6c20151ec1c5989b58de4e Mon Sep 17 00:00:00 2001 From: Sergey Bugaev Date: Thu, 15 Jun 2023 21:17:31 +0300 Subject: Fix copying in MACH_PORT_DEAD on x86_64 We need to properly convert MACH_PORT_NAME_DEAD (which is 32-bit -1) into IO_DEAD, which is 64-bit -1. To reproduce: $ portinfo -va 1 (see the Mach crash trying to access a port at 0xffffffff) Message-Id: <20230615181731.119328-1-bugaevc@gmail.com> --- ipc/ipc_kmsg.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'ipc/ipc_kmsg.c') diff --git a/ipc/ipc_kmsg.c b/ipc/ipc_kmsg.c index 1988da45..5012e607 100644 --- a/ipc/ipc_kmsg.c +++ b/ipc/ipc_kmsg.c @@ -1447,8 +1447,10 @@ ipc_kmsg_copyin_body( mach_port_name_t port = ((mach_port_t*)data)[i]; ipc_object_t object; - if (!MACH_PORT_NAME_VALID(port)) + if (!MACH_PORT_NAME_VALID(port)) { + objects[i] = (ipc_object_t)invalid_name_to_port(port); continue; + } kr = ipc_object_copyin(space, port, name, &object); @@ -1465,9 +1467,6 @@ ipc_kmsg_copyin_body( kmsg->ikm_header.msgh_bits |= MACH_MSGH_BITS_CIRCULAR; - /* TODO: revisit this for 64 bits since the size of - * mach_port_name_t is not the same as a pointer size. - */ objects[i] = object; } -- cgit v1.2.3