IOUserClient::setAsyncReference64 Doesn't Set kIOUCAsync64Flag Causing Callouts To Be 32 Bit
| Originator: | ciderapps | ||
| Number: | rdar://16121193 | Date Originated: | 2/20/2014 |
| Status: | Open | Resolved: | |
| Product: | OS X SDK | Product Version: | xnu-2050.48.11 |
| Classification: | Bug | Reproducible: | Yes |
Summary:
In the function IOUserClient::setAsyncReference64 the OSAsyncReference64[kIOAsyncReservedIndex] is set as:
asyncRef[kIOAsyncReservedIndex] = ((io_user_reference_t)wakePort) | (kIOUCAsync0Flags & asyncRef[kIOAsyncReservedIndex]);
With a new OSAsyncReference64 asyncRef this reduces to:
asyncRef[kIOAsyncReservedIndex] = ((io_user_reference_t)wakePort);
This results in the kIOUCAsync64Flag not being set on asyncRef[kIOAsyncReservedIndex]. Later when IOUserClient::sendAsyncResult64 is called from a IOUserClient subclass, the mach_msg_header_t reply is performed as if it was a 32 bit callout. This results in the Userspace program crashing as as the callout function address is invalid.
Steps to Reproduce:
setAsyncReference64(m_ref, m_notification_port, arguments->asyncReference[kIOAsyncCalloutFuncIndex], arguments->asyncReference[kIOAsyncCalloutRefconIndex]);
Expected Results:
m_ref[kIOAsyncReservedIndex] & kIOUCAsync64Flag == kIOUCAsync64Flag
Actual Results:
m_ref[kIOAsyncReservedIndex] & kIOUCAsync64Flag == 0
Version:
xnu-2050.48.11
Notes:
To fix I do in my IOUserClient subclass:
asyncRef[kIOAsyncReservedIndex] |= 1; // (kIOUCAsync64Flag)
Configuration:
Anything running 10.9.x. May exist in prior versions but have not investigated.
Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!