Date: Sun, 5 Sep 1999 07:44:32 -0400 (EDT) From: "Brian F. Feldman" <green@FreeBSD.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Nick Hibma <hibma@skylink.it>, FreeBSD -- The Power to Serve <geniusj@free-bsd.org>, Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.org Subject: Re: FW: Local DoS in FreeBSD Message-ID: <Pine.BSF.4.10.9909050459190.84695-100000@janus.syracuse.net> In-Reply-To: <199909050110.SAA63819@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 4 Sep 1999, Matthew Dillon wrote: > > : > :Whatever's in login.conf? :) Would you mind helping me out with > :http://www.FreeBSD.org/~green/sbsize2.patch? The KASSERT() fails > :in some cases, which I need help tracking down. > :... > : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ > > Hmmm. I see a problem, but it may not be the cause of > your problem. 'ui_proccnt == 0 && ui_sbsize == 0' may not be > sufficient to determine when a uip can be deleted, because a root > process can change it's uid (resulting in the old uip's proccnt > possibly going to 0) and a socket buffer can be set to 0-length > during a shutdown() operation, possibly causing ui_sbsize to go to > zero. Credentials are not the problem since the socket carries them around with it. Where can sb_hiwat be set to 0 in shutdown()? That wouldn't affect ui_sbsize if I missed it, but I'm pretty sure Id idn't miss it. > > Thus both fields may end up zero, a reference to the uip > may remain associated with the socket, and chgproccnt may > free the underlying uip. I don't think this can happen. > > I think what you need is a direct pointer reference to > the uip from the socket. This would require a ui_refcount > be kept on the uip, since ui_proccnt isn't really a > general ref count in of itself. > > I suspect that you may still hit the KASSERT, that there > is something we are still missing, but this should help. I still need to get that part working. Now I'm running into the problem (without these patches) that I get malloc: wrong bucket often, and I can't figure out why > > -Matt > Matthew Dillon > <dillon@backplane.com> > -- Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ green@FreeBSD.org | indistinguishable from a feature." | FreeBSD: The Power to Serve! \ -- Rich Kulawiec / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909050459190.84695-100000>