From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eggs.gnu.org (eggs.gnu.org [IPv6:2001:470:142:3::10]) by sourceware.org (Postfix) with ESMTPS id 1183A3858D32 for ; Wed, 12 Apr 2023 22:54:34 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1183A3858D32 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gnu.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gnu.org Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pmjMH-0004Dc-E3; Wed, 12 Apr 2023 18:54:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=In-Reply-To:MIME-Version:References:Subject:To:From: Date; bh=MjMWDf1RD35+LLW9sI/fEiLhwuXf85lvMEqXitUXdEI=; b=rKqFFGnNVkJ5tLoidnUI qC8hi/kbaTP3AMPn/oFBc4TdFUb9Cd4hhF/yX/D5t12GKVKhwAHsI9Vgfr3KdFixvmE8geOtjgWrJ UTPx+vadZBP4oOrmFG0VEiR56BDbBDdXVVCjctihvilRYByPuskJGl7Bhb0Lgf/p460RPXEERAvyx L9IpnBGBc3UEJgqh0s/+QOyMrRvHB9k52NdHbvMsTuB5vnd9SjmRhMvIvc9kxzzmrOOU3GoSiDbGN tWx9ky1TgqaQEA2WgI6Zr/q7WkpeP746df53DLW/iWudQPB4x7cn2FR2t6+mB/zd7cFxonrRn6njq haRz+0DRuAd7vA==; Received: from [2a01:cb19:4a:a400:de41:a9ff:fe47:ec49] (helo=begin) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pmjMG-0005Pe-SR; Wed, 12 Apr 2023 18:54:32 -0400 Received: from samy by begin with local (Exim 4.96) (envelope-from ) id 1pmjME-00HSl2-1h; Thu, 13 Apr 2023 00:54:30 +0200 Date: Thu, 13 Apr 2023 00:54:30 +0200 From: Samuel Thibault To: Sergey Bugaev Cc: libc-alpha@sourceware.org, bug-hurd@gnu.org Subject: Re: [RFC PATCH glibc 25/34] hurd: Improve reply port handling when exiting signal handlers Message-ID: <20230412225430.szpcaoqmofrphzd3@begin> Mail-Followup-To: Sergey Bugaev , libc-alpha@sourceware.org, bug-hurd@gnu.org References: <20230319151017.531737-1-bugaevc@gmail.com> <20230319151017.531737-26-bugaevc@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230319151017.531737-26-bugaevc@gmail.com> Organization: I am not organized User-Agent: NeoMutt/20170609 (1.8.3) X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hello, Sergey Bugaev, le dim. 19 mars 2023 18:10:08 +0300, a ecrit: > Also, use mach_port_mod_refs () and not mach_port_destroy () to destroy > the receive right. mach_port_destroy () should *never* be used on > mach_task_self (); this can easily lead to port use-after-free > vulnerabilities if the task has any other references to the same port. I had to revert the sigreturn part of this, it was making signal/tst-signal signal/tst-raise signal/tst-minsigstksz-5 htl/tst-raise1 fail. > Signed-off-by: Sergey Bugaev > --- > > NOTE: I don't really understand why sigunwind wants to destroy both its > current reply port and user's reply port. Prior to commit > fb304035c41c7ee2afede51e5e8568974549ba5e, it was *restoring* the user's > reply port, in which case it actually made sense to destroy the current > reply port. Post-fb304035c41c7ee2afede51e5e8568974549ba5e, wouldn't it > be better to just keep using the current reply port, destroying the > user's one? > > hurd/sigunwind.c | 24 +++++++++++------------- > sysdeps/mach/hurd/i386/sigreturn.c | 21 +++++---------------- > 2 files changed, 16 insertions(+), 29 deletions(-) > > diff --git a/sysdeps/mach/hurd/i386/sigreturn.c b/sysdeps/mach/hurd/i386/sigreturn.c > index db1a01f3..29c9629f 100644 > --- a/sysdeps/mach/hurd/i386/sigreturn.c > +++ b/sysdeps/mach/hurd/i386/sigreturn.c > @@ -101,20 +100,10 @@ __sigreturn (struct sigcontext *scp) > > /* Destroy the MiG reply port used by the signal handler, and restore the > reply port in use by the thread when interrupted. */ [...] > - __mach_port_destroy (__mach_task_self (), port); > + __mach_port_mod_refs (__mach_task_self (), reply_port, > + MACH_PORT_RIGHT_RECEIVE, -1);