From owner-freebsd-current@FreeBSD.ORG Mon Nov 7 07:29:57 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5A4716A41F; Mon, 7 Nov 2005 07:29:57 +0000 (GMT) (envelope-from nocool@263.net) Received: from smtp.263.net (smtp.x263.net [211.150.96.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 076C443D55; Mon, 7 Nov 2005 07:29:54 +0000 (GMT) (envelope-from nocool@263.net) Received: from iscas-zfw728iit (smtp1 [127.0.0.1]) by smtp.263.net (Postfix) with ESMTP id E585B1187; Mon, 7 Nov 2005 15:29:55 +0800 (CST) (envelope-from nocool@263.net) X-Originating-IP: [159.226.5.225] Date: Mon, 7 Nov 2005 15:30:39 +0800 From: "nocool" To: "Robert Watson" X-mailer: Foxmail 5.0 [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 7bit Message-Id: <20051107072955.E585B1187@smtp.263.net> Cc: freebsd-hackers , freebsd-current Subject: Re: Why INVARIANTS option and sanity checking? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 07:29:58 -0000 >The design for FreeBSD calls for all memory and other resources provided >to unprivileged processes to be scrubbed before being made available. >Only using privilege should a process be able to gain access to unscrubbed >resources through allocation. For example: > >- When a process allocates a new file, it will be created as zero-length. > When extended using ftruncate(), any data read or pages mapped from the > file will be zero-filled. > >- When new memory is allocated to the process at time of exec(), using > brk(), or using anonymous mmap(), zero'd pages are provided to the > process (often optimized using copy-on-write). > I noticed the code for brk() and mmap() only set up the structure for addrees mapping, and the physical pages are allocated in vmfault(). I looked through the code of vmfault(), but I can't find the optimization of COW from zero's pages you mentioned. Can you give me some tips? Thanks. >- When kernel data structures are returned to user space, they are zero'd. > This is necessary even when a structure is filled out explicitly, as the > padding in the structure introduced by the compiler must also be zero'd. > For example, with data structures returned by ioctl(), sysctl(), etc. > I can't grasp your meaning. You mean to zero the structure before kernel filling it and copyouting it to the user space, or to zero after filling? I scan ioctl() and find the codes: { memp = malloc((u_long)size, M_IOCTLOPS, M_WAITOK); data = memp; ... if (com & IOC_OUT) { bzero(data, size); } ... error = fo_ioctl(fp, com, data, td->td_ucred, td); if (error == 0 && (com & IOC_OUT)) error = copyout(data, uap->data, (u_int)size); } These codes is consistent to my first understanding. Did you mean the same. But I really finds some codes not coincident with your answer, for example: In msgsnd(), message segments from msgpool[] are organised to form the message buffer, and kernel copy the user message into these buffer. And in msgrcv() the message are copyout to user area according the length strod in message header. There are not cleaning for these message segments in both functions. Can you give me some further explanation. Have a good weekend. Thanks