From owner-svn-src-head@FreeBSD.ORG  Sat Oct  4 19:25:56 2014
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 5DB57658;
 Sat,  4 Oct 2014 19:25:56 +0000 (UTC)
Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 110C2B1C;
 Sat,  4 Oct 2014 19:25:56 +0000 (UTC)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587])
 (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.sbone.de (Postfix) with ESMTPS id 9069125D3892;
 Sat,  4 Oct 2014 19:25:52 +0000 (UTC)
Received: from content-filter.sbone.de (content-filter.sbone.de
 [IPv6:fde9:577b:c1a9:31::2013:2742])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPS id ABD73C770DA;
 Sat,  4 Oct 2014 19:25:51 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587])
 by content-filter.sbone.de (content-filter.sbone.de
 [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024)
 with ESMTP id SNa-xSBPHaF6; Sat,  4 Oct 2014 19:25:50 +0000 (UTC)
Received: from [IPv6:fde9:577b:c1a9:4410:e57f:1550:28b1:4a3] (unknown
 [IPv6:fde9:577b:c1a9:4410:e57f:1550:28b1:4a3])
 (using TLSv1 with cipher AES128-SHA (128/128 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPSA id 92D5DC770F0;
 Sat,  4 Oct 2014 19:25:47 +0000 (UTC)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Subject: Re: svn commit: r272505 - in head/sys: kern sys
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
In-Reply-To: <20141004163633.GT26076@kib.kiev.ua>
Date: Sat, 4 Oct 2014 19:25:23 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <23D87C79-1101-4E37-AA49-1C7FA8AC5C0F@FreeBSD.org>
References: <201410040808.s9488uAI099166@svn.freebsd.org>
 <42180557-0119-4597-9492-662E1671A840@FreeBSD.org>
 <20141004163633.GT26076@kib.kiev.ua>
To: Konstantin Belousov <kostikbel@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
 src-committers@freebsd.org, Mateusz Guzik <mjg@FreeBSD.org>
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Oct 2014 19:25:56 -0000


On 04 Oct 2014, at 16:36 , Konstantin Belousov <kostikbel@gmail.com> =
wrote:

> On Sat, Oct 04, 2014 at 02:21:54PM +0000, Bjoern A. Zeeb wrote:
>>=20
>> On 04 Oct 2014, at 08:08 , Mateusz Guzik <mjg@FreeBSD.org> wrote:
>>=20
>>> Author: mjg
>>> Date: Sat Oct  4 08:08:56 2014
>>> New Revision: 272505
>>> URL: https://svnweb.freebsd.org/changeset/base/272505
>>>=20
>>> Log:
>>> Plug capability races.
>>>=20
>>> fp and appropriate capability lookups were not atomic, which could =
result in
>>> improper capabilities being checked.
>>>=20
>>> This could result either in protection bypass or in a spurious =
ENOTCAPABLE.
>>>=20
>>> Make fp + capability check atomic with the help of sequence =
counters.
>>>=20
>>> Reviewed by:	kib
>>> MFC after:	3 weeks
>>>=20
>>> Modified:
>>> head/sys/kern/kern_descrip.c
>>> head/sys/sys/filedesc.h
>>> ?
>>=20
>>=20
>> This file is included from user space.  There is no opt_capsicum.h =
there.
>> Including an opt_* in the header file seems wrong in a lot of ways =
usually.
> I think that easiest, and probably the most correct, fix is to include
> the fde_seq member unconditionally.
>=20
>>=20
>> I tried to add a bandaid for the moment with r272523 which (to be =
honest) makes it worse.
>>=20
>> This needs a better fix.
> Hm, I do see inclusion of sys/filedesc.h in the usermode programs, =
most
> worrying is libprocstat.  But, there is nothing useful for usermode in =
the
> header, except possibly for the code with inspects KVA.

It=92s included indirectly imho through other sys/* header files  if I =
am not mistaken.


>=20
>>=20
>>=20
>> I also wonder why the (conditional) fde_seq ended up at the beginning =
of the structure rather than the end?
>>=20
> Why not ?

Because it guarantees the structure layout (offsets) to change for =
either way, where-as at the end things would at least be deterministic =
for the beginning;  it might not make a change in reality, but it=92s =
nice anyway (also for debugging).

=97=20
Bjoern A. Zeeb             "Come on. Learn, goddamn it.", WarGames, 1983