X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/3e170ce000f1506b7b5d2c5c7faec85ceabb573d..c7d2c2c6ee645e10cbccdd01c6191873ec77239d:/osfmk/kern/ipc_kobject.c

diff --git a/osfmk/kern/ipc_kobject.c b/osfmk/kern/ipc_kobject.c
index 1789ae5f6..7aa0466db 100644
--- a/osfmk/kern/ipc_kobject.c
+++ b/osfmk/kern/ipc_kobject.c
@@ -266,6 +266,7 @@ ipc_kobject_server(
 	ipc_kmsg_t reply;
 	kern_return_t kr;
 	ipc_port_t *destp;
+	ipc_port_t  replyp = IPC_PORT_NULL;
 	mach_msg_format_0_trailer_t *trailer;
 	register mig_hash_t *ptr;
 
@@ -341,10 +342,10 @@ ipc_kobject_server(
 	    }
 	    else {
 		if (!ipc_kobject_notify(request->ikm_header, reply->ikm_header)){
-#if	MACH_IPC_TEST
+#if DEVELOPMENT || DEBUG
 		    printf("ipc_kobject_server: bogus kernel message, id=%d\n",
 			request->ikm_header->msgh_id);
-#endif	/* MACH_IPC_TEST */
+#endif	/* DEVELOPMENT || DEBUG */
 		    _MIG_MSGID_INVALID(request->ikm_header->msgh_id);
 
 		    ((mig_reply_error_t *) reply->ikm_header)->RetCode
@@ -419,6 +420,8 @@ ipc_kobject_server(
 		ipc_kmsg_destroy(request);
 	}
 
+	replyp = (ipc_port_t)reply->ikm_header->msgh_remote_port;
+
 	if (kr == MIG_NO_REPLY) {
 		/*
 		 *	The server function will send a reply message
@@ -428,7 +431,7 @@ ipc_kobject_server(
 		ipc_kmsg_free(reply);
 
 		return IKM_NULL;
-	} else if (!IP_VALID((ipc_port_t)reply->ikm_header->msgh_remote_port)) {
+	} else if (!IP_VALID(replyp)) {
 		/*
 		 *	Can't queue the reply message if the destination
 		 *	(the reply port) isn't valid.
@@ -436,6 +439,17 @@ ipc_kobject_server(
 
 		ipc_kmsg_destroy(reply);
 
+		return IKM_NULL;
+	} else if (replyp->ip_receiver == ipc_space_kernel) {
+		/*
+		 * Don't send replies to kobject kernel ports
+		 */
+#if DEVELOPMENT || DEBUG
+		printf("%s: refusing to send reply to kobject %d port (id:%d)\n",
+		       __func__, ip_kotype(replyp),
+		       request->ikm_header->msgh_id);
+#endif	/* DEVELOPMENT || DEBUG */
+		ipc_kmsg_destroy(reply);
 		return IKM_NULL;
 	}
 
@@ -528,9 +542,22 @@ ipc_kobject_notify(
 	mach_msg_header_t *request_header,
 	mach_msg_header_t *reply_header)
 {
+	mach_msg_max_trailer_t * trailer;
 	ipc_port_t port = (ipc_port_t) request_header->msgh_remote_port;
 
 	((mig_reply_error_t *) reply_header)->RetCode = MIG_NO_REPLY;
+
+	trailer = (mach_msg_max_trailer_t *)
+	          ((vm_offset_t)request_header + request_header->msgh_size);
+	if (0 != bcmp(&trailer->msgh_audit, &KERNEL_AUDIT_TOKEN,
+			sizeof(trailer->msgh_audit))) {
+		return FALSE;
+	}
+	if (0 != bcmp(&trailer->msgh_sender, &KERNEL_SECURITY_TOKEN,
+			sizeof(trailer->msgh_sender))) {
+		return FALSE;
+	}
+
 	switch (request_header->msgh_id) {
 		case MACH_NOTIFY_NO_SENDERS:
 			switch (ip_kotype(port)) {