ipc_kmsg_copyin_body() updated OOL port arrays from 32-bit
mach_port_name_t elements to 64-bit mach_port_t elements only in the
non-empty path. For zero-length arrays, the code skipped that
normalization and left msgtl_size at 32.
Normalize the descriptor size for OOL port arrays before the length == 0
branch so empty and non-empty arrays are handled consistently.
---
ipc/ipc_kmsg.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/ipc/ipc_kmsg.c b/ipc/ipc_kmsg.c
index fe6582d1..daf2ef4b 100644
--- a/ipc/ipc_kmsg.c
+++ b/ipc/ipc_kmsg.c
@@ -1355,6 +1355,15 @@ ipc_kmsg_copyin_body(
is_port = MACH_MSG_TYPE_PORT_ANY(name);
+ if (is_port && !is_inline &&
+ sizeof(mach_port_name_t) != sizeof(mach_port_t)) {
+ if (longform)
+ type->msgtl_size = sizeof(mach_port_t) * 8;
+ else
+ ((mach_msg_type_t *)type)->msgt_size =
+ sizeof(mach_port_t) * 8;
+ }
+
if ((is_port && !is_inline && (size !=
PORT_NAME_T_SIZE_IN_BITS)) ||
(is_port && is_inline && (size != PORT_T_SIZE_IN_BITS)) ||
#ifndef __LP64__
@@ -1398,14 +1407,14 @@ ipc_kmsg_copyin_body(
data = 0;
else if (is_port) {
const vm_size_t user_length = length;
+
/*
* In 64 bit architectures, out of line port
names are
* represented as an array of mach_port_name_t
which are
* smaller than mach_port_t.
- */
+ */
if (sizeof(mach_port_name_t) !=
sizeof(mach_port_t)) {
length = sizeof(mach_port_t) * number;
- type->msgtl_size = sizeof(mach_port_t)
* 8;
}
data = kalloc(length);
--
2.53.0
