From owner-svn-src-head@FreeBSD.ORG Sat Oct 4 14:22:33 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 853B05BC; Sat, 4 Oct 2014 14:22:33 +0000 (UTC) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0D00B9D6; Sat, 4 Oct 2014 14:22:32 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 8B5DF25D3A97; Sat, 4 Oct 2014 14:22:23 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 9B4F1C770EF; Sat, 4 Oct 2014 14:22:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id oO0Ie_4HyLlh; Sat, 4 Oct 2014 14:22:20 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4410:e57f:1550:28b1:4a3] (unknown [IPv6:fde9:577b:c1a9:4410:e57f:1550:28b1:4a3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 2030EC770DA; Sat, 4 Oct 2014 14:22:17 +0000 (UTC) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: svn commit: r272505 - in head/sys: kern sys From: "Bjoern A. Zeeb" In-Reply-To: <201410040808.s9488uAI099166@svn.freebsd.org> Date: Sat, 4 Oct 2014 14:21:54 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <42180557-0119-4597-9492-662E1671A840@FreeBSD.org> References: <201410040808.s9488uAI099166@svn.freebsd.org> To: Mateusz Guzik , Konstantin Belousov X-Mailer: Apple Mail (2.1878.6) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2014 14:22:33 -0000 On 04 Oct 2014, at 08:08 , Mateusz Guzik wrote: > Author: mjg > Date: Sat Oct 4 08:08:56 2014 > New Revision: 272505 > URL: https://svnweb.freebsd.org/changeset/base/272505 >=20 > Log: > Plug capability races. >=20 > fp and appropriate capability lookups were not atomic, which could = result in > improper capabilities being checked. >=20 > This could result either in protection bypass or in a spurious = ENOTCAPABLE. >=20 > Make fp + capability check atomic with the help of sequence counters. >=20 > Reviewed by: kib > MFC after: 3 weeks >=20 > Modified: > head/sys/kern/kern_descrip.c > head/sys/sys/filedesc.h > =85 This file is included from user space. There is no opt_capsicum.h = there. Including an opt_* in the header file seems wrong in a lot of ways = usually. I tried to add a bandaid for the moment with r272523 which (to be = honest) makes it worse. This needs a better fix. I also wonder why the (conditional) fde_seq ended up at the beginning of = the structure rather than the end? > Modified: head/sys/sys/filedesc.h > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- head/sys/sys/filedesc.h Sat Oct 4 08:05:39 2014 = (r272504) > +++ head/sys/sys/filedesc.h Sat Oct 4 08:08:56 2014 = (r272505) > @@ -33,11 +33,14 @@ > #ifndef _SYS_FILEDESC_H_ > #define _SYS_FILEDESC_H_ >=20 > +#include "opt_capsicum.h" > + > #include > #include > #include > #include > #include > +#include > #include >=20 > #include > @@ -50,6 +53,9 @@ struct filecaps { > }; >=20 > struct filedescent { > +#ifdef CAPABILITIES > + seq_t fde_seq; /* if you need fde_file = and fde_caps in sync */ > +#endif > struct file *fde_file; /* file structure for = open file */ > struct filecaps fde_caps; /* per-descriptor rights = */ > uint8_t fde_flags; /* per-process open file = flags */ > @@ -58,6 +64,13 @@ struct filedescent { > #define fde_fcntls fde_caps.fc_fcntls > #define fde_ioctls fde_caps.fc_ioctls > #define fde_nioctls fde_caps.fc_nioctls > +#ifdef CAPABILITIES > +#define fde_change(fde) ((char *)(fde) + sizeof(seq_t)) > +#define fde_change_size (sizeof(struct filedescent) - = sizeof(seq_t)) > +#else > +#define fde_change(fde) ((fde)) > +#define fde_change_size (sizeof(struct filedescent)) > +#endif >=20 > /* > * This structure is used for the management of descriptors. It may = be > @@ -82,6 +95,9 @@ struct filedesc { > int fd_holdleaderscount; /* block fdfree() for shared = close() */ > int fd_holdleaderswakeup; /* fdfree() needs wakeup */ > }; > +#ifdef CAPABILITIES > +#define fd_seq(fdp, fd) (&(fdp)->fd_ofiles[(fd)].fde_seq) > +#endif >=20 > /* > * Structure to keep track of (process leader, struct fildedesc) = tuples. >=20 =97=20 Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983