From owner-freebsd-arch@FreeBSD.ORG Fri Aug 15 00:55:17 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5448791; Fri, 15 Aug 2014 00:55:17 +0000 (UTC) Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 78E2B290D; Fri, 15 Aug 2014 00:55:16 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id q58so1797467wes.21 for ; Thu, 14 Aug 2014 17:55:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=mA31eHG9q8vFE9MAdjYGo+jJEjzfRpzwJD87bwDsJv4=; b=GGNzXMRdKPUt8tbmLO7YhdxPxDzjsZ49d092bXcA1mplrZ0IkR6Dl+HmUwT1gs22y1 F1NiL9Tog+ZxYLrf0MI0M+f71df42bdKOLRvpFQ1FgU2CXLpGSpZjanmzrFACd+VEMgo yFNXouwXI/4UlGHUDinpHt3hRLT0vQ/DiHcUnHqPz/GCX41QPLWSuCsGt0FfdEarqPwK 8azCbT9EQi/ovhmHXUHlOXdVD/BSDlI+EzyoYUx6jlAKdAwfKe/l3KFdcnW0frnkdE2W ZMOaWooELo/mCSVRVU2e3sCyLNzLK/1Ebg35hJwPO0YIkxmDT+09dZ35xGkKUuc7ju43 f4rA== X-Received: by 10.194.6.101 with SMTP id z5mr17021092wjz.79.1408064114790; Thu, 14 Aug 2014 17:55:14 -0700 (PDT) Received: from localhost.localdomain (ip-62-245-66-51.net.upcbroadband.cz. [62.245.66.51]) by mx.google.com with ESMTPSA id fp6sm1473669wic.11.2014.08.14.17.55.13 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Aug 2014 17:55:13 -0700 (PDT) From: Mateusz Guzik To: freebsd-arch@freebsd.org Subject: [PATCH 0/2] plug capability races Date: Fri, 15 Aug 2014 02:55:10 +0200 Message-Id: <1408064112-573-1-git-send-email-mjguzik@gmail.com> X-Mailer: git-send-email 1.8.3.1 Cc: Robert Watson , Johan Schuijt , Konstantin Belousov X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2014 00:55:17 -0000 fget_unlocked currently reads 'fde' which is a structure consisting of serveral fields. In effect the read is inatomic and may result in obtaining file pointer with stale or incorrect capabilities. Example race is with dup2. Side effect is that capability checks can be circumvented. Proposed way to fix it is with the help of sequence counters. Patchset assumes stuff from 'Getting rid of atomic_load_acq_int(&fdp->fd_nfiles)) from fget_unlocked' ( http://lists.freebsd.org/pipermail/freebsd-arch/2014-July/015550.html ) is applied. There is no technical dependency between patches (apart from READ_ONCE), but this patch amortizes performance hit introduced with seqlock. So this introduces a measurable hit with a microbenchmark (16 threads reading from a pipe which fails with EAGAIN), but is still much faster than current code with atomic_load_acq_int(&fdp->fd_nfiles). x propernoacq-readpipe-run-sum + seq2-noacq-readpipe-run-sum N Min Max Median Avg Stddev x 20 59479718 59527286 59496714 59499504 13752.968 + 20 54520752 54920054 54829539 54773480 136842.96 Difference at 95.0% confidence -4.72602e+06 +/- 62244.4 -7.94296% +/- 0.104613% (Student's t, pooled s = 97250) There is still one theoretical race unfixed, but I don't believe it matters much. The race is: fp gets reallocated before refcount check. this resuls in returning fp regardless of new caps, but I don't see how this particular race could be exploited. It could be fixed by re-reading entire fde and checking if it changed. -- 2.0.2