diff options
| author | Sergey Bugaev <bugaevc@gmail.com> | 2021-05-26 16:30:53 +0300 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2022-08-10 22:11:48 +0200 |
| commit | 3e62adfb214090de7ad531d3aa68570aae92f9ec (patch) | |
| tree | 2289d1060f8c6d0c9f204a2dee9cc57254a23e25 /libports | |
| parent | 7360a092712ad01c5803901df5ca6e0edef4150f (diff) | |
| download | hurd-3e62adfb214090de7ad531d3aa68570aae92f9ec.tar.gz hurd-3e62adfb214090de7ad531d3aa68570aae92f9ec.tar.bz2 hurd-3e62adfb214090de7ad531d3aa68570aae92f9ec.zip | |
proc: Drop some mach_port_destroy () uses
mach_port_destroy () is a dangerous API that has to be used with extreme care.
Namely, it destroys not one user reference, but *all* user references that a
task has for a port name. Different parts of a program may all keep separate
references on a port without coordinating it with each other (which is the
whole idea behind reference counting). If one part of a program decides to
destroy a port with mach_port_destroy () without informing others, others may
still believe they hold a reference and will continue to use the name as if it
still refered to the now-destroyed port right. This consitutes a port
use-after-free, even if their use is also deallocating their reference.
In the particular case of the proc server, this manifested itself as
S_proc_reassign () destroying all user references to the task port right before
the task port right is deallocated again in the dead-name notification handler.
Diffstat (limited to 'libports')
0 files changed, 0 insertions, 0 deletions