bug-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #48456] mig-generated user code does not destroy invalid reply

From: Kalle Olavi Niemitalo
Subject: [bug #48456] mig-generated user code does not destroy invalid reply
Date: Sun, 10 Jul 2016 11:56:24 +0000 (UTC)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.8.0 
URL:
  <http://savannah.gnu.org/bugs/?48456>

                 Summary: mig-generated user code does not destroy invalid
reply
                 Project: The GNU Hurd
            Submitted by: kon
            Submitted on: Sun Jul 10 11:56:21 2016
                Category: GNU MIG
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
         Reproducibility: Every Time
              Size (loc): None
         Planned Release: None
                  Effort: 0.00
Wiki-like text discussion box: 

    _______________________________________________________

Details:

If "user" code generated by MIG sends a request to a server and gets back a
reply that does not match the RPC definition, then it returns an error but
does not destroy the reply message.  So if the reply carried any rights to
ports, then those rights will remain in the task.  This could perhaps be used
for denial of service, if a long-lived process calls a less-trusted one.

The attached reply-leak.tar.gz demonstrates this bug.  In it, a program first
forks and the child process then does an RPC to the parent once per second,
but the parent process replies with a message that has an unexpected msgh_id
and carries ten receive rights instead of the required data.  In the child
process, MIG-generated code detects this mismatch and returns an error, which
the child process logs.  The child process then checks how many port names it
has, and logs that value, which increases by ten per second.  It should not
increase.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Sun Jul 10 11:56:21 2016  Name: reply-leak.tar.gz  Size: 2kB   By: kon
test case
<http://savannah.gnu.org/bugs/download.php?file_id=37791>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?48456>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]