Fix copying in MACH_PORT_DEAD on x86_64

We need to properly convert MACH_PORT_NAME_DEAD (which is 32-bit -1) into IO_DEAD, which is 64-bit -1. To reproduce: $ portinfo -va 1 (see the Mach crash trying to access a port at 0xffffffff) Message-Id: <20230615181731.119328-1-bugaevc@gmail.com>
author: Sergey Bugaev <bugaevc@gmail.com> 2023-06-15 21:17:31 +0300
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> 2023-06-18 00:26:06 +0200
commit: ed7f24debd15745f9e6c20151ec1c5989b58de4e (patch)
tree: dcd06919043eda7028c5f1149aca2994bd79373b /ipc
parent: 5e597575b78af2464117437c8bc41e632d7e112d (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/ipc/ipc_kmsg.c b/ipc/ipc_kmsg.c
index 1988da45..5012e607 100644
--- a/ipc/ipc_kmsg.c
+++ b/ipc/ipc_kmsg.c
@@ -1447,8 +1447,10 @@ ipc_kmsg_copyin_body(
 				mach_port_name_t port = ((mach_port_t*)data)[i];
 				ipc_object_t object;
 
-				if (!MACH_PORT_NAME_VALID(port))
+				if (!MACH_PORT_NAME_VALID(port)) {
+					objects[i] = (ipc_object_t)invalid_name_to_port(port);
 					continue;
+				}
 
 				kr = ipc_object_copyin(space, port,
 						       name, &object);
@@ -1465,9 +1467,6 @@ ipc_kmsg_copyin_body(
 					kmsg->ikm_header.msgh_bits |=
 						MACH_MSGH_BITS_CIRCULAR;
 
-				/* TODO: revisit this for 64 bits since the size of
-				 * mach_port_name_t is not the same as a pointer size.
-				 */
 				objects[i] = object;
 			}
author	Sergey Bugaev <bugaevc@gmail.com>	2023-06-15 21:17:31 +0300
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	2023-06-18 00:26:06 +0200
commit	ed7f24debd15745f9e6c20151ec1c5989b58de4e (patch)
tree	dcd06919043eda7028c5f1149aca2994bd79373b /ipc
parent	5e597575b78af2464117437c8bc41e632d7e112d (diff)