[Webkit-unassigned] [Bug 184202] New: Failures from mach port reference handling should be fatal

Fri Mar 30 16:52:45 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=184202

            Bug ID: 184202
           Summary: Failures from mach port reference handling should be
                    fatal
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bfulgham at webkit.org

We may corrupt the Mach port space by improperly matching the equivalent of reference counting retains (mach_port_mod_refs) with releases (mach_port_deallocate).

Our current implementation of MachSendRights::create does not grab a reference if the passed port is MACH_PORT_DEAD, but we unconditionally call mach_port_deallocate on the port, which could lead to a reference count mismatch.

Likewise, our MachSendRight destructor does not release the port if it has changed to MACH_PORT_DEAD (e.g., if a child process dies), again leading to a mismatch in retain/releases.

Finally, failures in mach_port_deallocate should be fatal because they indicate that the application was attempting to remove an unowned right. This is a fatal condition for Mach, and should lead to an abort. 

This patch does the following:

1. It creates a helper function that does the right thing for safely deallocating a mach port.
2. It uses it in multiple places.
3. It revises 'MachSendRight::create" so that it properly handles the condition of a dead port.
4. It revises the MachSendRight destructor to properly handle the condition of a dead port.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180330/fc1ad72a/attachment.html>