This is an archive of the discontinued LLVM Phabricator instance.

Differential D45011

Prevent double release of mach ports
ClosedPublic

Authored by friss on Mar 28 2018, 6:04 PM.

Details

Reviewers
jasonmolenda
Commits
rGfa37026db316: Prevent double release of mach ports
rLLDB328761: Prevent double release of mach ports
rL328761: Prevent double release of mach ports
Summary

When a MIG routine returns KERN_FAILURE, the demux function will release any OOL resources like ports. In this case, task_port and thread_port will be released twice, potentially resulting in use after free of the ports.

I don't think we can test this in any useful way
rdar://problem/37331387

Diff Detail

Event Timeline

friss created this revision.Mar 28 2018, 6:04 PM
Harbormaster completed remote builds in B16525: Diff 140174.Mar 28 2018, 6:04 PM
jingham added a subscriber: jingham.Mar 28 2018, 6:24 PM

Yes, this is one of the required MIG functions, but it isn't the flavor we register to receive callbacks on (we pass EXCEPTION_DEFAULT to task_set_exception_ports), so this function should never get called. That makes it doubly hard to test!

davide added a subscriber: davide.Mar 28 2018, 6:34 PM

I'm not particularly worried about testing double-free behavior, FWIW.
Ideally we should, but, I really understand it's a PITA. I think we might get this for free when testing msan/asan (or just running under valgrind), assuming there was already coverage for this path.
(and if there wasn't, well, it's a separate issue).

jingham added a comment.Mar 28 2018, 6:38 PM

Because of the mysteries of MIG, all the flavors of catch_exception_raise have to be defined, but you register for a particular flavor when you set the task exception ports. This isn't the flavor we register. So this function is necessary but never used.

jasonmolenda accepted this revision.Mar 28 2018, 6:50 PM

valgrind/asan/msan aren't going to help - this is a pretty obscure stuff. We could verify by hand that we're not leaking a port if this code was actually executed via lsmp(1) on macos, but Jim knows more about our MIG use than I do & I'm sure he's right that this code is never called. LGTM.

This revision is now accepted and ready to land.Mar 28 2018, 6:50 PM
Closed by commit rL328761: Prevent double release of mach ports (authored by friss). · Explain WhyMar 28 2018, 8:53 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptMar 28 2018, 8:53 PM

Revision Contents

PathSize
source/
Plugins/
Process/
Darwin/
2 lines
tools/
debugserver/
source/
MacOSX/
2 lines

Diff 140174

source/Plugins/Process/Darwin/MachException.cpp

Show First 20 LinesShow All 86 Lines▼ Show 20 Lines if (log) {
log->Printf("::%s(exc_port = 0x%4.4x, thd_port = 0x%4.4x, " log->Printf("::%s(exc_port = 0x%4.4x, thd_port = 0x%4.4x, "
"tsk_port = 0x%4.4x, exc_type = %d (%s), exc_data[%d] = " "tsk_port = 0x%4.4x, exc_type = %d (%s), exc_data[%d] = "
"{ 0x%llx, 0x%llx })", "{ 0x%llx, 0x%llx })",
__FUNCTION__, exc_port, thread_port, task_port, exc_type, __FUNCTION__, exc_port, thread_port, task_port, exc_type,
MachException::Name(exc_type), exc_data_count, MachException::Name(exc_type), exc_data_count,
(uint64_t)(exc_data_count > 0 ? exc_data[0] : 0xBADDBADD), (uint64_t)(exc_data_count > 0 ? exc_data[0] : 0xBADDBADD),
(uint64_t)(exc_data_count > 1 ? exc_data[1] : 0xBADDBADD)); (uint64_t)(exc_data_count > 1 ? exc_data[1] : 0xBADDBADD));
} }
mach_port_deallocate(mach_task_self(), task_port);
mach_port_deallocate(mach_task_self(), thread_port);
return KERN_FAILURE; return KERN_FAILURE;
} }
extern "C" kern_return_t extern "C" kern_return_t
catch_mach_exception_raise(mach_port_t exc_port, mach_port_t thread_port, catch_mach_exception_raise(mach_port_t exc_port, mach_port_t thread_port,
mach_port_t task_port, exception_type_t exc_type, mach_port_t task_port, exception_type_t exc_type,
mach_exception_data_t exc_data, mach_exception_data_t exc_data,
▲ Show 20 LinesShow All 404 LinesShow Last 20 Lines

tools/debugserver/source/MacOSX/MachException.cpp

Show First 20 LinesShow All 80 Lines▼ Show 20 Lines if (DNBLogCheckLogBit(LOG_EXCEPTIONS)) {
DNBLogThreaded("::%s ( exc_port = 0x%4.4x, thd_port = 0x%4.4x, tsk_port = " DNBLogThreaded("::%s ( exc_port = 0x%4.4x, thd_port = 0x%4.4x, tsk_port = "
"0x%4.4x, exc_type = %d ( %s ), exc_data[%d] = { 0x%llx, " "0x%4.4x, exc_type = %d ( %s ), exc_data[%d] = { 0x%llx, "
"0x%llx })", "0x%llx })",
__FUNCTION__, exc_port, thread_port, task_port, exc_type, __FUNCTION__, exc_port, thread_port, task_port, exc_type,
MachException::Name(exc_type), exc_data_count, MachException::Name(exc_type), exc_data_count,
(uint64_t)(exc_data_count > 0 ? exc_data[0] : 0xBADDBADD), (uint64_t)(exc_data_count > 0 ? exc_data[0] : 0xBADDBADD),
(uint64_t)(exc_data_count > 1 ? exc_data[1] : 0xBADDBADD)); (uint64_t)(exc_data_count > 1 ? exc_data[1] : 0xBADDBADD));
} }
mach_port_deallocate(mach_task_self(), task_port);
mach_port_deallocate(mach_task_self(), thread_port);
return KERN_FAILURE; return KERN_FAILURE;
} }
extern "C" kern_return_t extern "C" kern_return_t
catch_mach_exception_raise(mach_port_t exc_port, mach_port_t thread_port, catch_mach_exception_raise(mach_port_t exc_port, mach_port_t thread_port,
mach_port_t task_port, exception_type_t exc_type, mach_port_t task_port, exception_type_t exc_type,
mach_exception_data_t exc_data, mach_exception_data_t exc_data,
▲ Show 20 LinesShow All 400 LinesShow Last 20 Lines