[Webkit-unassigned] [Bug 184202] New: Failures from mach port reference handling should be fatal
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 30 16:52:45 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=184202
Bug ID: 184202
Summary: Failures from mach port reference handling should be
fatal
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bfulgham at webkit.org
We may corrupt the Mach port space by improperly matching the equivalent of reference counting retains (mach_port_mod_refs) with releases (mach_port_deallocate).
Our current implementation of MachSendRights::create does not grab a reference if the passed port is MACH_PORT_DEAD, but we unconditionally call mach_port_deallocate on the port, which could lead to a reference count mismatch.
Likewise, our MachSendRight destructor does not release the port if it has changed to MACH_PORT_DEAD (e.g., if a child process dies), again leading to a mismatch in retain/releases.
Finally, failures in mach_port_deallocate should be fatal because they indicate that the application was attempting to remove an unowned right. This is a fatal condition for Mach, and should lead to an abort.
This patch does the following:
1. It creates a helper function that does the right thing for safely deallocating a mach port.
2. It uses it in multiple places.
3. It revises 'MachSendRight::create" so that it properly handles the condition of a dead port.
4. It revises the MachSendRight destructor to properly handle the condition of a dead port.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180330/fc1ad72a/attachment.html>
More information about the webkit-unassigned
mailing list