Re: kern/40570

[Antti Kantee <pooka%cs.hut.fi@localhost>]

The following reply was made to PR kern/40570; it has been noted by GNATS.

From: Antti Kantee <pooka%cs.hut.fi@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/40570
Date: Sat, 7 Feb 2009 14:55:31 +0200

 Two issues: first of all, mount_puffsportal does not use the portalfs
 in any way, so I think we could drop "portalfs" from the synopsis.
 Second, I believe this is a panic common to all userland programs doing
 file descriptor passing.  I suggest changing the synopsis to e.g. "file
 descriptor passing = panic" ... and am in fact doing so.
 
 As this is a (potential) local DoS, I think it's a priority for 5.0.
 
 The application code which corresponds to the kernel stack trace is:
 
 static int
 sendfd(int s, int fd, int error)
 {
         struct cmsghdr *cmp;
         struct msghdr msg;
         struct iovec iov;
         ssize_t n;
         int rv;
 
         rv = 0;
         cmp = emalloc(CMSG_LEN(sizeof(int)));
 
         iov.iov_base = &error;
         iov.iov_len = sizeof(int);
 
         cmp->cmsg_level = SOL_SOCKET;
         cmp->cmsg_type = SCM_RIGHTS;
         cmp->cmsg_len = CMSG_LEN(sizeof(int));
 
         msg.msg_iov = &iov;
         msg.msg_iovlen = 1;
         msg.msg_name = NULL;
         msg.msg_namelen = 0;
         msg.msg_control = cmp;
         msg.msg_controllen = CMSG_LEN(sizeof(int));
         *(int *)CMSG_DATA(cmp) = fd;
 
         n = sendmsg(s, &msg, 0);
         if (n == -1)
                 rv = errno;
         else if (n < sizeof(int))
                 rv = EPROTO;
 
         free(cmp);
         return rv;
 }