From owner-svn-src-all@freebsd.org Thu Feb 25 10:08:03 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98EFCAB2ECC; Thu, 25 Feb 2016 10:08:03 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 17A7E14C2; Thu, 25 Feb 2016 10:08:02 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id u1PA7vx0002035 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 25 Feb 2016 12:07:57 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua u1PA7vx0002035 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id u1PA7vSu002034; Thu, 25 Feb 2016 12:07:57 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Thu, 25 Feb 2016 12:07:57 +0200 From: Konstantin Belousov To: Kristof Provost Cc: Conrad Meyer , "src-committers@freebsd.org" , "svn-src-all@freebsd.org" , "svn-src-head@freebsd.org" Subject: Re: svn commit: r296025 - head/sys/netpfil/pf Message-ID: <20160225100757.GA67250@kib.kiev.ua> References: <201602250733.u1P7Xxoh041746@repo.freebsd.org> <20160225091741.GF3003@vega.codepro.be> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160225091741.GF3003@vega.codepro.be> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2016 10:08:03 -0000 On Thu, Feb 25, 2016 at 10:17:41AM +0100, Kristof Provost wrote: > On 2016-02-24 23:47:55 (-0800), Conrad Meyer wrote: > > On Wed, Feb 24, 2016 at 11:41 PM, Adrian Chadd wrote: > > > .. what's capping totlen so one doesn't run out of memory? > > > > There was a DoS vector before (user controlled io->pfrio_size) and > > basically the same DoS vector now (either of io->pfrio_size or > > io->pfrio_size2). This change isn't a regression. Still, it should > > be fixed. > > > It's an M_WAITOK allocation, so if the user asks for more memory than is > available the thread will sleep. I'd assumed that if the user terminates > the thread the sleep will wake, the allocation will fail and the ioctl() > will return an error. M_WAITOK allocations still panic when requested amount of KVA is unreasonable. I am curious what do you mean by 'user terminating the thread'. The sleep in malloc() is uninterruptible by signal, and user does not have any other way to disturb the execution. > > Perhaps we should do what OpenBSD do, and not allocate the temporary > buffer at all. They copy in/out the individual entries one by one. On > the other hand, one could still exhaust memory by inserting large > numbers of addresses in the table. But note that accesses to the user memory may fault, which puts whole VM and VFS subsystems (and possibly the network as well, if user supplied address is backed by mapped NFS file) after the locks owned at the moment of copyin() call.