mq_send(-1, ...) segfaults instead of failing with EBADF
Mark Geisert
mark@maxrnd.com
Wed Jan 15 10:01:51 GMT 2025
Hi Christian,
On 1/14/2025 7:37 AM, Christian Franke via Cygwin wrote:
> Found with 'stress-ng --mq 1 -v':
>
> If an invalid fd is passed to mq_send() and other mq_* functions, a
> segfault occurs instead of returning -1 with errno=EBADF. Depending on
> optimization, the segfault is not visible in the exit status.
>
> Testcase:
>
> $ uname -r
> 3.5.5-1.x86_64
>
> $ gcc --version
> gcc (GCC) 12.4.0
> ...
>
> $ cat mqbadfd.c
> #include <mqueue.h>
> #include <stdio.h>
>
> int main()
> {
> printf("mq_send:\n"); fflush(stdout);
> int ret = mq_send(-1, "FOO", 3, 1);
> printf("ret = %d\n", ret); fflush(stdout);
> return 42;
> }
>
> $ gcc -o mqbadfd mqbadfd.c
>
> $ ./mqbadfd; echo $?
> mq_send:
> 0
>
> $ gcc -o mqbadfd2 -O2 mqbadfd.c
>
> $ ./mqbadfd2; echo $?
> mq_send:
> Segmentation fault
> 139
>
> $ strace ./mqbadfd
> ...
> 111 49460 [main] mqbadfd 23013 fhandler_console::write: 9 =
> fhandler_console::write(...)
> 39 49499 [main] mqbadfd 23013 write: 9 = write(1, 0xA00017790, 9)
> 211 49710 [main] mqbadfd 23013 __set_errno:
> cygheap_fdget::cygheap_fdget(int, bool, bool):631 setting errno 9
> --- Process 15116 (pid: 23013), exception c0000005 at 00007ffc766fc71e
> --- Process 15116 (pid: 23013) thread 4672 exited with status 0xc0000005
> --- Process 15116 thread 12184 exited with status 0xc0000005
> --- Process 15116 thread 16828 exited with status 0xc0000005
> --- Process 15116 thread 16892 exited with status 0xc0000005
> --- Process 15116 exited with status 0xc0000005
> Segmentation fault
>
> $ strace ./mqbadfd2
> ...
> 170 22096 [main] mqbadfd2 23017 write: 9 = write(1, 0xA00017790, 9)
> 71 22167 [main] mqbadfd2 23017 __set_errno:
> cygheap_fdget::cygheap_fdget(int, bool, bool):631 setting errno 9
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> 58 22225 [main] mqbadfd2 23017 exception::handle: In
> cygwin_except_handler exception 0xC0000005 at 0x7FFC766FC71E sp 0x7FFFFCB30
> 25 22250 [main] mqbadfd2 23017 exception::handle: In
> cygwin_except_handler signal 11 at 0x7FFC766FC71E
> 38 22288 [main] mqbadfd2 23017 break_here: break here
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> ... [infinite loop - strace needs to be terminated by task manager]
>
>
> Same if -fstack-protector-strong is added.
Thanks for the report and testcase. It appears the mq_*() functions are
missing a validation step. I'll submit a patch shortly.
..mark
More information about the Cygwin
mailing list