From patchwork Sat Apr 29 13:13:52 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sergey Bugaev <bugaevc@gmail.com>
X-Patchwork-Id: 68548
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 07C4E3856965
	for <patchwork@sourceware.org>; Sat, 29 Apr 2023 13:15:49 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 07C4E3856965
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1682774149;
	bh=Ib4fNFAuaWK6iGZT3lnjhLEpmOqdRxJ4aCuzLTqjR4Y=;
	h=To:Cc:Subject:Date:In-Reply-To:References:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=RIZkXMLVuJkjEvsorO+uyfkPTLlsI+CPuNi86IN/J3xfSId0mIN5jEz4lgfGhKCA8
	 LkPAUyWATOerNns3gAP4HDw255IEygeQmb3DPN/vfDGutnuXwYwGnhlPbiXlIDkOib
	 RZGnr3+571yDRmbzv3lvV6qgPuYEfh0dx3ArcjYc=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com
 [IPv6:2a00:1450:4864:20::131])
 by sourceware.org (Postfix) with ESMTPS id B82D03858438
 for <libc-alpha@sourceware.org>; Sat, 29 Apr 2023 13:14:01 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B82D03858438
Received: by mail-lf1-x131.google.com with SMTP id
 2adb3069b0e04-4f00d41df22so15021221e87.1
 for <libc-alpha@sourceware.org>; Sat, 29 Apr 2023 06:14:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1682774040; x=1685366040;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Ib4fNFAuaWK6iGZT3lnjhLEpmOqdRxJ4aCuzLTqjR4Y=;
 b=iA3JzTA4+sbTMeFYe/b9c9qbK2xsCIq9W5uRHzmWqRohqH8YWEGaPXLKdDB8n/F4xx
 zBRZ/hMQct7YKMMUVQSAFTOoyThub1gM1W9myhG6YV/bPrnPIMoX4O/YXRTPVd+4E0hq
 d+Qj/cpyJbFrYAJ0h/awZK5gQXSPnmG/nnv2RwQDN+fhOYyqfD5GEF6Y2XuT2y4+R6ND
 9T4DGTOjgbfnV9EbayMbOeMSAbH06lVW/qx81ygphNBIUcivgJliJZxNTCDnTkVODat+
 ItCB8dDXZ25AXUvF2VaucvdbqXc6FEL07XR5SKRZzdll/CdDEJ0o1xfnQlWTE7akhVr1
 eLew==
X-Gm-Message-State: AC+VfDxIbrNN910G8q2xlWaItvBphQ74/FLUlEZjwrYb7pHqWX/4lWvO
 QYtMX8oTU91oVt6/u8845BYtlm/PxtmjAw==
X-Google-Smtp-Source: 
 ACHHUZ6mNOhyoUVUpIream0HMMNYOYkgvuWOxXvDa858K2lx7XOJWlzRfkkPx1J3kS2ucXaSBoT9IQ==
X-Received: by 2002:ac2:43bc:0:b0:4a4:68b7:deab with SMTP id
 t28-20020ac243bc000000b004a468b7deabmr2253982lfl.7.1682774039795;
 Sat, 29 Apr 2023 06:13:59 -0700 (PDT)
Received: from surface-pro-6.. ([2a00:1370:818c:4a57:8a14:19ba:9e6b:1866])
 by smtp.gmail.com with ESMTPSA id
 f27-20020ac251bb000000b004eb018fac57sm3744851lfk.191.2023.04.29.06.13.58
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 29 Apr 2023 06:13:59 -0700 (PDT)
To: libc-alpha@sourceware.org
Cc: bug-hurd@gnu.org,
	Samuel Thibault <samuel.thibault@gnu.org>
Subject: [PATCH 5/7] hurd: Don't leak the auth port in msg* RPCs
Date: Sat, 29 Apr 2023 16:13:52 +0300
Message-Id: <20230429131354.2507443-5-bugaevc@gmail.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20230429131354.2507443-1-bugaevc@gmail.com>
References: <20230429131354.2507443-1-bugaevc@gmail.com>
MIME-Version: 1.0
X-Spam-Status: No, score=-11.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Sergey Bugaev via Libc-alpha
 <libc-alpha@sourceware.org>
From: Sergey Bugaev <bugaevc@gmail.com>
Reply-To: Sergey Bugaev <bugaevc@gmail.com>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>

The leak can be easily reproduced (and observed) using the portinfo
tool:

$ portinfo -v $$ | grep task
    36: send task(1577)(self) (refs: 127)
$ portinfo -v $$ | grep task
    36: send task(1577)(self) (refs: 253)
$ portinfo -v $$ | grep task
    36: send task(1577)(self) (refs: 379)
$ portinfo -v $$ | grep task
    36: send task(1577)(self) (refs: 505)
$ portinfo -v $$ | grep task
    36: send task(1577)(self) (refs: 631)

Checked on i686-gnu.

Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
---
 hurd/hurdmsg.c | 67 +++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 58 insertions(+), 9 deletions(-)

diff --git a/hurd/hurdmsg.c b/hurd/hurdmsg.c
index 4bedd292..896fb87c 100644
--- a/hurd/hurdmsg.c
+++ b/hurd/hurdmsg.c
@@ -35,11 +35,17 @@ kern_return_t
   _S_msg_get_init_port (mach_port_t msgport, mach_port_t auth, int which,
 			mach_port_t *result, mach_msg_type_name_t *result_type)
 {
+  error_t err;
+
   AUTHCHECK;
+
   *result_type = MACH_MSG_TYPE_MOVE_SEND;
   /* This function adds a new user reference for the *RESULT it gives back.
      Our reply message uses a move-send right that consumes this reference.  */
-  return _hurd_ports_get (which, result);
+  err = _hurd_ports_get (which, result);
+  if (!err && MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
+  return err;
 }
 
 kern_return_t
@@ -51,10 +57,13 @@ _S_msg_set_init_port (mach_port_t msgport, mach_port_t auth,
   AUTHCHECK;
 
   err = _hurd_ports_set (which, port);
-  if (err == 0)
+
+  if (!err && MACH_PORT_VALID (port))
     __mach_port_deallocate (__mach_task_self (), port);
+  if (!err && MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
 
-  return 0;
+  return err;
 }
 
 kern_return_t
@@ -88,6 +97,8 @@ _S_msg_get_init_ports (mach_port_t msgport, mach_port_t auth,
       }
 
   *ports_type = MACH_MSG_TYPE_MOVE_SEND;
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
   return 0;
 }
 
@@ -108,6 +119,8 @@ _S_msg_set_init_ports (mach_port_t msgport, mach_port_t auth,
 	__mach_port_deallocate (__mach_task_self (), ports[i]);
     }
 
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
   return 0;
 }
 
@@ -152,9 +165,16 @@ kern_return_t
 _S_msg_get_init_int (mach_port_t msgport, mach_port_t auth,
 		     int which, int *value)
 {
+  error_t err;
+
   AUTHCHECK;
 
-  return get_int (which, value);
+  err = get_int (which, value);
+  if (err)
+    return err;
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
+  return 0;
 }
 
 kern_return_t
@@ -185,6 +205,8 @@ _S_msg_get_init_ints (mach_port_t msgport, mach_port_t auth,
 	return err;
       }
 
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
   return 0;
 }
 
@@ -236,9 +258,16 @@ kern_return_t
 _S_msg_set_init_int (mach_port_t msgport, mach_port_t auth,
 		     int which, int value)
 {
+  error_t err;
+
   AUTHCHECK;
 
-  return set_int (which, value);
+  err = set_int (which, value);
+  if (err)
+    return err;
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
+  return 0;
 }
 
 kern_return_t
@@ -261,6 +290,8 @@ _S_msg_set_init_ints (mach_port_t msgport, mach_port_t auth,
 	return err;
       }
 
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
   return 0;
 }
 
@@ -278,6 +309,8 @@ _S_msg_get_fd (mach_port_t msgport, mach_port_t auth, int which,
     return errno;
   *result_type = MACH_MSG_TYPE_MOVE_SEND;
 
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
   return 0;
 }
 
@@ -285,17 +318,25 @@ kern_return_t
 _S_msg_set_fd (mach_port_t msgport, mach_port_t auth,
 	       int which, mach_port_t port)
 {
+  error_t err;
+
   AUTHCHECK;
 
   /* We consume the reference if successful.  */
-  return HURD_FD_USE (which, (_hurd_port2fd (descriptor, port, 0), 0));
+  err = HURD_FD_USE (which, (_hurd_port2fd (descriptor, port, 0), 0));
+  if (err)
+    return err;
+
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
+  return 0;
 }
 
 /* Snarfing and frobbing environment variables.  */
 
 kern_return_t
 _S_msg_get_env_variable (mach_port_t msgport,
-			 const_string_t variable, //
+			 const_string_t variable,
 			 char **data, mach_msg_type_number_t *datalen)
 {
   error_t err;
@@ -322,14 +363,17 @@ _S_msg_get_env_variable (mach_port_t msgport,
 
 kern_return_t
 _S_msg_set_env_variable (mach_port_t msgport, mach_port_t auth,
-			 const_string_t variable, //
-			 const_string_t value, //
+			 const_string_t variable,
+			 const_string_t value,
 			 int replace)
 {
   AUTHCHECK;
 
   if (__setenv (variable, value, replace)) /* XXX name space */
     return errno;
+
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
   return 0;
 }
 
@@ -381,6 +425,9 @@ _S_msg_set_environment (mach_port_t msgport, mach_port_t auth,
     return errno;
   __argz_extract (data, datalen, envp);
   __environ = envp;		/* XXX cooperate with loadenv et al */
+
+  if (MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
   return 0;
 }
 
@@ -433,6 +480,8 @@ _S_msg_get_dtable (mach_port_t process,
 out:
   __mutex_unlock (&_hurd_dtable_lock);
   HURD_CRITICAL_END;
+  if (!err && MACH_PORT_VALID (auth))
+    __mach_port_deallocate (__mach_task_self (), auth);
   return err;
 }