Re: mq_send(-1, ...) segfaults instead of failing with EBADF

[Mark Geisert via Cygwin]

Hi Christian,

On 1/14/2025 7:37 AM, Christian Franke via Cygwin wrote:
Found with 'stress-ng --mq 1 -v':
If an invalid fd is passed to mq_send() and other mq_* functions, a 
segfault occurs instead of returning -1 with errno=EBADF. Depending on 
optimization, the segfault is not visible in the exit status.

Testcase:

$ uname -r
3.5.5-1.x86_64

$ gcc --version
gcc (GCC) 12.4.0
...

$ cat mqbadfd.c
#include <mqueue.h>
#include <stdio.h>

int main()
{
   printf("mq_send:\n"); fflush(stdout);
   int ret = mq_send(-1, "FOO", 3, 1);
   printf("ret = %d\n", ret); fflush(stdout);
   return 42;
}

$ gcc -o mqbadfd mqbadfd.c

$ ./mqbadfd; echo $?
mq_send:
0

$ gcc -o mqbadfd2 -O2 mqbadfd.c

$ ./mqbadfd2; echo $?
mq_send:
Segmentation fault
139

$ strace ./mqbadfd
...
   111   49460 [main] mqbadfd 23013 fhandler_console::write: 9 = 
fhandler_console::write(...)
    39   49499 [main] mqbadfd 23013 write: 9 = write(1, 0xA00017790, 9)
   211   49710 [main] mqbadfd 23013 __set_errno: 
cygheap_fdget::cygheap_fdget(int, bool, bool):631 setting errno 9
--- Process 15116 (pid: 23013), exception c0000005 at 00007ffc766fc71e
--- Process 15116 (pid: 23013) thread 4672 exited with status 0xc0000005
--- Process 15116 thread 12184 exited with status 0xc0000005
--- Process 15116 thread 16828 exited with status 0xc0000005
--- Process 15116 thread 16892 exited with status 0xc0000005
--- Process 15116 exited with status 0xc0000005
Segmentation fault

$ strace ./mqbadfd2
...
   170   22096 [main] mqbadfd2 23017 write: 9 = write(1, 0xA00017790, 9)
    71   22167 [main] mqbadfd2 23017 __set_errno: 
cygheap_fdget::cygheap_fdget(int, bool, bool):631 setting errno 9
--- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
    58   22225 [main] mqbadfd2 23017 exception::handle: In 
cygwin_except_handler exception 0xC0000005 at 0x7FFC766FC71E sp 0x7FFFFCB30
    25   22250 [main] mqbadfd2 23017 exception::handle: In 
cygwin_except_handler signal 11 at 0x7FFC766FC71E
    38   22288 [main] mqbadfd2 23017 break_here: break here
--- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
--- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
--- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
--- Process 13872 (pid: 23017), exception c0000005 at 00007ffc766fc71e
... [infinite loop - strace needs to be terminated by task manager]


Same if -fstack-protector-strong is added.

Thanks for the report and testcase.  It appears the mq_*() functions are 
missing a validation step.  I'll submit a patch shortly.

..mark

--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple