From patchwork Tue Jan 4 00:15:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Samuel Thibault X-Patchwork-Id: 49500 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 51FB13858421 for ; Tue, 4 Jan 2022 00:15:59 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from hera.aquilenet.fr (hera.aquilenet.fr [IPv6:2a0c:e300::1]) by sourceware.org (Postfix) with ESMTPS id D52833858C2C for ; Tue, 4 Jan 2022 00:15:24 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org D52833858C2C Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=ens-lyon.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=ens-lyon.org Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id DC947415; Tue, 4 Jan 2022 01:15:23 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xCziZgMU46Se; Tue, 4 Jan 2022 01:15:23 +0100 (CET) Received: from begin (unknown [IPv6:2a01:cb19:956:1b00:de41:a9ff:fe47:ec49]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 5658F120; Tue, 4 Jan 2022 01:15:23 +0100 (CET) Received: from samy by begin with local (Exim 4.95) (envelope-from ) id 1n4XU2-00G5sq-Uc; Tue, 04 Jan 2022 01:15:22 +0100 From: Samuel Thibault To: libc-alpha@sourceware.org Subject: [hurd,commited] hurd: nuke all unknown ports on exec Date: Tue, 4 Jan 2022 01:15:22 +0100 Message-Id: <20220104001522.3835857-1-samuel.thibault@ens-lyon.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spamd-Bar: ++++ X-Rspamd-Server: hera Authentication-Results: hera.aquilenet.fr; none X-Rspamd-Queue-Id: DC947415 X-Spamd-Result: default: False [4.90 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; R_MISSING_CHARSET(2.50)[]; BROKEN_CONTENT_TYPE(1.50)[]; RCVD_COUNT_THREE(0.00)[3]; MID_CONTAINS_FROM(1.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[] X-Spam-Status: No, score=-11.7 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_STATUS, SPF_HELO_PASS, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: commit-hurd@gnu.org Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" Ports which are not in the ports table or dtable will not make sense for the new program, so we can nuke them. Actually we shall, otherwise we would be leaking various ports, for instance the file_t of the executed program itself. --- hurd/hurdexec.c | 46 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/hurd/hurdexec.c b/hurd/hurdexec.c index 5b27f1861b..546cc69960 100644 --- a/hurd/hurdexec.c +++ b/hurd/hurdexec.c @@ -65,12 +65,16 @@ _hurd_exec_paths (task_t task, file_t file, _hurd_port_free (&_hurd_ports[i], &ulink_ports[i], ports[i]); } file_t *dtable; - unsigned int dtablesize, i; + unsigned int dtablesize, i, j; struct hurd_port **dtable_cells; struct hurd_userlink *ulink_dtable; struct hurd_sigstate *ss; mach_port_t *please_dealloc, *pdp; int reauth = 0; + mach_port_t *portnames = NULL; + mach_msg_type_number_t nportnames = 0; + mach_port_type_t *porttypes = NULL; + mach_msg_type_number_t nporttypes = 0; /* XXX needs to be hurdmalloc XXX */ if (argv == NULL) @@ -361,6 +365,15 @@ retry: if (pdp) { + /* Get all ports that we may not know about and we should thus destroy. */ + /* XXX need to disable other threads to be safe. */ + if (err = __mach_port_names (__mach_task_self (), + &portnames, &nportnames, + &porttypes, &nporttypes)) + return err; + if (nportnames != nporttypes) + return EGRATUITOUS; + /* Request the exec server to deallocate some ports from us if the exec succeeds. The init ports and descriptor ports will arrive in the new program's exec_startup message. If we @@ -370,9 +383,30 @@ retry: exec call. */ for (i = 0; i < _hurd_nports; ++i) - *pdp++ = ports[i]; + { + *pdp++ = ports[i]; + for (j = 0; j < nportnames; j++) + if (portnames[j] == ports[i]) + portnames[j] = MACH_PORT_NULL; + } for (i = 0; i < dtablesize; ++i) - *pdp++ = dtable[i]; + { + *pdp++ = dtable[i]; + for (j = 0; j < nportnames; j++) + if (portnames[j] == dtable[i]) + portnames[j] = MACH_PORT_NULL; + } + + /* Pack ports to be destroyed together. */ + for (i = 0, j = 0; i < nportnames; i++) + { + if (portnames[i] == MACH_PORT_NULL) + continue; + if (j != i) + portnames[j] = portnames[i]; + j++; + } + nportnames = j; } flags = 0; @@ -393,8 +427,7 @@ retry: _hurd_nports, ints, INIT_INT_MAX, please_dealloc, pdp - please_dealloc, - &_hurd_msgport, - task == __mach_task_self () ? 1 : 0); + portnames, nportnames); /* Fall back for backwards compatibility. This can just be removed when __file_exec goes away. */ if (err == MIG_BAD_ID) @@ -404,8 +437,7 @@ retry: ports, MACH_MSG_TYPE_COPY_SEND, _hurd_nports, ints, INIT_INT_MAX, please_dealloc, pdp - please_dealloc, - &_hurd_msgport, - task == __mach_task_self () ? 1 : 0); + portnames, nportnames); } /* Release references to the standard ports. */