From owner-svn-src-stable-10@freebsd.org Tue Apr 16 02:48:05 2019 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF587158550B; Tue, 16 Apr 2019 02:48:05 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 527D06EFAF; Tue, 16 Apr 2019 02:48:05 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2892B1951A; Tue, 16 Apr 2019 02:48:05 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x3G2m50P067537; Tue, 16 Apr 2019 02:48:05 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x3G2m5p0067536; Tue, 16 Apr 2019 02:48:05 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <201904160248.x3G2m5p0067536@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Tue, 16 Apr 2019 02:48:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r346262 - stable/10/sys/rpc/rpcsec_gss X-SVN-Group: stable-10 X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: stable/10/sys/rpc/rpcsec_gss X-SVN-Commit-Revision: 346262 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 527D06EFAF X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.95)[-0.953,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Apr 2019 02:48:06 -0000 Author: rmacklem Date: Tue Apr 16 02:48:04 2019 New Revision: 346262 URL: https://svnweb.freebsd.org/changeset/base/346262 Log: MFC: r345818, r345828 Fix a race in the RPCSEC_GSS server code that caused crashes. When a new client structure was allocated, it was added to the list so that it was visible to other threads before the expiry time was initialized, with only a single reference count. The caller would increment the reference count, but it was possible for another thread to decrement the reference count to zero and free the structure before the caller incremented the reference count. This could occur because the expiry time was still set to zero when the new client structure was inserted in the list and the list was unlocked. This patch fixes the race by initializing the reference count to two and initializing all fields, including the expiry time, before inserting it in the list. Modified: stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c ============================================================================== --- stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Tue Apr 16 02:46:21 2019 (r346261) +++ stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Tue Apr 16 02:48:04 2019 (r346262) @@ -543,18 +543,17 @@ svc_rpc_gss_create_client(void) client = mem_alloc(sizeof(struct svc_rpc_gss_client)); memset(client, 0, sizeof(struct svc_rpc_gss_client)); - refcount_init(&client->cl_refs, 1); + + /* + * Set the initial value of cl_refs to two. One for the caller + * and the other to hold onto the client structure until it expires. + */ + refcount_init(&client->cl_refs, 2); sx_init(&client->cl_lock, "GSS-client"); getcredhostid(curthread->td_ucred, &hostid); client->cl_id.ci_hostid = hostid; client->cl_id.ci_boottime = boottime.tv_sec; client->cl_id.ci_id = svc_rpc_gss_next_clientid++; - list = &svc_rpc_gss_client_hash[client->cl_id.ci_id % CLIENT_HASH_SIZE]; - sx_xlock(&svc_rpc_gss_lock); - TAILQ_INSERT_HEAD(list, client, cl_link); - TAILQ_INSERT_HEAD(&svc_rpc_gss_clients, client, cl_alllink); - svc_rpc_gss_client_count++; - sx_xunlock(&svc_rpc_gss_lock); /* * Start the client off with a short expiration time. We will @@ -564,6 +563,12 @@ svc_rpc_gss_create_client(void) client->cl_locked = FALSE; client->cl_expiration = time_uptime + 5*60; + list = &svc_rpc_gss_client_hash[client->cl_id.ci_id % CLIENT_HASH_SIZE]; + sx_xlock(&svc_rpc_gss_lock); + TAILQ_INSERT_HEAD(list, client, cl_link); + TAILQ_INSERT_HEAD(&svc_rpc_gss_clients, client, cl_alllink); + svc_rpc_gss_client_count++; + sx_xunlock(&svc_rpc_gss_lock); return (client); } @@ -1261,7 +1266,6 @@ svc_rpc_gss(struct svc_req *rqst, struct rpc_msg *msg) goto out; } client = svc_rpc_gss_create_client(); - refcount_acquire(&client->cl_refs); } else { struct svc_rpc_gss_clientid *p; if (gc.gc_handle.length != sizeof(*p)) { From owner-svn-src-stable-10@freebsd.org Thu Apr 18 02:54:08 2019 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03F4115840E2; Thu, 18 Apr 2019 02:54:08 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9C4BA71B3A; Thu, 18 Apr 2019 02:54:07 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 77ACB18AF6; Thu, 18 Apr 2019 02:54:07 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x3I2s7Cr098908; Thu, 18 Apr 2019 02:54:07 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x3I2s7bS098907; Thu, 18 Apr 2019 02:54:07 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <201904180254.x3I2s7bS098907@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Thu, 18 Apr 2019 02:54:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r346344 - stable/10/sys/rpc/rpcsec_gss X-SVN-Group: stable-10 X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: stable/10/sys/rpc/rpcsec_gss X-SVN-Commit-Revision: 346344 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 9C4BA71B3A X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.96)[-0.965,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 02:54:08 -0000 Author: rmacklem Date: Thu Apr 18 02:54:07 2019 New Revision: 346344 URL: https://svnweb.freebsd.org/changeset/base/346344 Log: MFC: r345866 Fix malloc stats for the RPCSEC_GSS server code when DEBUG is enabled. The code enabled when "DEBUG" is defined uses mem_alloc(), which is a malloc(.., M_RPC, M_WAITOK | M_ZERO), but then calls gss_release_buffer() which does a free(.., M_GSSAPI) to free the memory. This patch fixes the problem by replacing mem_alloc() with a malloc(.., M_GSSAPI, M_WAITOK | M_ZERO). This bug affects almost no one, since the sources are not normally built with "DEBUG" defined. Modified: stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c ============================================================================== --- stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Thu Apr 18 02:47:59 2019 (r346343) +++ stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Thu Apr 18 02:54:07 2019 (r346344) @@ -738,7 +738,7 @@ gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, g * here for "{ " and "}\0". */ string_length += 4; - if ((bp = (char *) mem_alloc(string_length))) { + if ((bp = malloc(string_length, M_GSSAPI, M_WAITOK | M_ZERO))) { strcpy(bp, "{ "); number = (unsigned long) cp[0]; sprintf(numstr, "%ld ", number/40);