mq_send(-1, ...) segfaults instead of failing with EBADF

Mark Geisert mark@maxrnd.com
Wed Jan 15 10:01:51 GMT 2025


Hi Christian,

On 1/14/2025 7:37 AM, Christian Franke via Cygwin wrote:
> Found with 'stress-ng --mq 1 -v':
> 
> If an invalid fd is passed to mq_send() and other mq_* functions, a 
> segfault occurs instead of returning -1 with errno=EBADF. Depending on 
> optimization, the segfault is not visible in the exit status.
> 
> Testcase:
> 
> $ uname -r
> 3.5.5-1.x86_64
> 
> $ gcc --version
> gcc (GCC) 12.4.0
> ...
> 
> $ cat mqbadfd.c
> #include <mqueue.h>
> #include <stdio.h>
> 
> int main()
> {
>    printf("mq_send:\n"); fflush(stdout);
>    int ret = mq_send(-1, "FOO", 3, 1);
>    printf("ret = %d\n", ret); fflush(stdout);
>    return 42;
> }
> 
> $ gcc -o mqbadfd mqbadfd.c
> 
> $ ./mqbadfd; echo $?
> mq_send:
> 0
> 
> $ gcc -o mqbadfd2 -O2 mqbadfd.c
> 
> $ ./mqbadfd2; echo $?
> mq_send:
> Segmentation fault
> 139
> 
> $ strace ./mqbadfd
> ...
>    111   49460 [main] mqbadfd 23013 fhandler_console::write: 9 = 
> fhandler_console::write(...)
>     39   49499 [main] mqbadfd 23013 write: 9 = write(1, 0xA00017790, 9)
>    211   49710 [main] mqbadfd 23013 __set_errno: 
> cygheap_fdget::cygheap_fdget(int, bool, bool):631 setting errno 9
> --- Process 15116 (pid: 23013), exception c0000005 at 00007ffc766fc71e
> --- Process 15116 (pid: 23013) thread 4672 exited with status 0xc0000005
> --- Process 15116 thread 12184 exited with status 0xc0000005
> --- Process 15116 thread 16828 exited with status 0xc0000005
> --- Process 15116 thread 16892 exited with status 0xc0000005
> --- Process 15116 exited with status 0xc0000005
> Segmentation fault
> 
> $ strace ./mqbadfd2
> ...
>    170   22096 [main] mqbadfd2 23017 write: 9 = write(1, 0xA00017790, 9)
>     71   22167 [main] mqbadfd2 23017 __set_errno: 
> cygheap_fdget::cygheap_fdget(int, bool, bool):631 setting errno 9
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
>     58   22225 [main] mqbadfd2 23017 exception::handle: In 
> cygwin_except_handler exception 0xC0000005 at 0x7FFC766FC71E sp 0x7FFFFCB30
>     25   22250 [main] mqbadfd2 23017 exception::handle: In 
> cygwin_except_handler signal 11 at 0x7FFC766FC71E
>     38   22288 [main] mqbadfd2 23017 break_here: break here
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> --- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
> ... [infinite loop - strace needs to be terminated by task manager]
> 
> 
> Same if -fstack-protector-strong is added.

Thanks for the report and testcase.  It appears the mq_*() functions are 
missing a validation step.  I'll submit a patch shortly.

..mark


More information about the Cygwin mailing list