xnu-3248.30.4.tar.gz

[apple/xnu.git] / osfmk / kern / ipc_kobject.c

diff --git a/osfmk/kern/ipc_kobject.c b/osfmk/kern/ipc_kobject.c
index 1789ae5f6bf16346d03b2212d339f71e71fca18f..7aa0466dbc615016bcde299a4d5386260450672f 100644 (file)
--- a/osfmk/kern/ipc_kobject.c
+++ b/osfmk/kern/ipc_kobject.c
@@ -266,6 +266,7 @@ ipc_kobject_server(
        ipc_kmsg_t reply;
        kern_return_t kr;
        ipc_port_t *destp;
        ipc_kmsg_t reply;
        kern_return_t kr;
        ipc_port_t *destp;

+       ipc_port_t  replyp = IPC_PORT_NULL;

        mach_msg_format_0_trailer_t *trailer;
        register mig_hash_t *ptr;
 
        mach_msg_format_0_trailer_t *trailer;
        register mig_hash_t *ptr;
 


@@ -341,10 +342,10 @@ ipc_kobject_server(
            }
            else {
                if (!ipc_kobject_notify(request->ikm_header, reply->ikm_header)){
            }
            else {
                if (!ipc_kobject_notify(request->ikm_header, reply->ikm_header)){

-#if    MACH_IPC_TEST
+#if DEVELOPMENT || DEBUG

                    printf("ipc_kobject_server: bogus kernel message, id=%d\n",
                        request->ikm_header->msgh_id);
                    printf("ipc_kobject_server: bogus kernel message, id=%d\n",
                        request->ikm_header->msgh_id);

-#endif /* MACH_IPC_TEST */
+#endif /* DEVELOPMENT || DEBUG */

                    _MIG_MSGID_INVALID(request->ikm_header->msgh_id);
 
                    ((mig_reply_error_t *) reply->ikm_header)->RetCode
                    _MIG_MSGID_INVALID(request->ikm_header->msgh_id);
 
                    ((mig_reply_error_t *) reply->ikm_header)->RetCode


@@ -419,6 +420,8 @@ ipc_kobject_server(
                ipc_kmsg_destroy(request);
        }
 
                ipc_kmsg_destroy(request);
        }
 

+       replyp = (ipc_port_t)reply->ikm_header->msgh_remote_port;
+

        if (kr == MIG_NO_REPLY) {
                /*
                 *      The server function will send a reply message
        if (kr == MIG_NO_REPLY) {
                /*
                 *      The server function will send a reply message


@@ -428,7 +431,7 @@ ipc_kobject_server(
                ipc_kmsg_free(reply);
 
                return IKM_NULL;
                ipc_kmsg_free(reply);
 
                return IKM_NULL;

-       } else if (!IP_VALID((ipc_port_t)reply->ikm_header->msgh_remote_port)) {
+       } else if (!IP_VALID(replyp)) {

                /*
                 *      Can't queue the reply message if the destination
                 *      (the reply port) isn't valid.
                /*
                 *      Can't queue the reply message if the destination
                 *      (the reply port) isn't valid.


@@ -436,6 +439,17 @@ ipc_kobject_server(
 
                ipc_kmsg_destroy(reply);
 
 
                ipc_kmsg_destroy(reply);
 

+               return IKM_NULL;
+       } else if (replyp->ip_receiver == ipc_space_kernel) {
+               /*
+                * Don't send replies to kobject kernel ports
+                */
+#if DEVELOPMENT || DEBUG
+               printf("%s: refusing to send reply to kobject %d port (id:%d)\n",
+                      __func__, ip_kotype(replyp),
+                      request->ikm_header->msgh_id);
+#endif /* DEVELOPMENT || DEBUG */
+               ipc_kmsg_destroy(reply);

                return IKM_NULL;
        }
 
                return IKM_NULL;
        }
 


@@ -528,9 +542,22 @@ ipc_kobject_notify(
        mach_msg_header_t *request_header,
        mach_msg_header_t *reply_header)
 {
        mach_msg_header_t *request_header,
        mach_msg_header_t *reply_header)
 {

+       mach_msg_max_trailer_t * trailer;

        ipc_port_t port = (ipc_port_t) request_header->msgh_remote_port;
 
        ((mig_reply_error_t *) reply_header)->RetCode = MIG_NO_REPLY;
        ipc_port_t port = (ipc_port_t) request_header->msgh_remote_port;
 
        ((mig_reply_error_t *) reply_header)->RetCode = MIG_NO_REPLY;

+
+       trailer = (mach_msg_max_trailer_t *)
+                 ((vm_offset_t)request_header + request_header->msgh_size);
+       if (0 != bcmp(&trailer->msgh_audit, &KERNEL_AUDIT_TOKEN,
+                       sizeof(trailer->msgh_audit))) {
+               return FALSE;
+       }
+       if (0 != bcmp(&trailer->msgh_sender, &KERNEL_SECURITY_TOKEN,
+                       sizeof(trailer->msgh_sender))) {
+               return FALSE;
+       }
+

        switch (request_header->msgh_id) {
                case MACH_NOTIFY_NO_SENDERS:
                        switch (ip_kotype(port)) {
        switch (request_header->msgh_id) {
                case MACH_NOTIFY_NO_SENDERS:
                        switch (ip_kotype(port)) {