Date: Thu, 8 Apr 2010 00:58:41 +0300 From: Kostik Belousov <kostikbel@gmail.com> To: Aurelien Jarno <aurelien@aurel32.net> Cc: freebsd-hackers@freebsd.org, Petr Salinger <Petr.Salinger@seznam.cz> Subject: Re: leak of the vnodes Message-ID: <20100407215841.GL2415@deviant.kiev.zoral.com.ua> In-Reply-To: <20100407215256.GA2739@hall.aurel32.net> References: <Pine.LNX.4.62.1004061700590.25851@sci.felk.cvut.cz> <20100406140308.GY2415@deviant.kiev.zoral.com.ua> <20100406140852.GZ2415@deviant.kiev.zoral.com.ua> <20100406144402.GB2415@deviant.kiev.zoral.com.ua> <Pine.LNX.4.62.1004062154060.26438@sci.felk.cvut.cz> <20100406210321.GE2415@deviant.kiev.zoral.com.ua> <Pine.LNX.4.62.1004070838050.27621@sci.felk.cvut.cz> <20100407095928.GG2415@deviant.kiev.zoral.com.ua> <Pine.LNX.4.62.1004072256540.29016@sci.felk.cvut.cz> <20100407215256.GA2739@hall.aurel32.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--KMh3oH5xaVDeKy7N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 07, 2010 at 11:52:56PM +0200, Aurelien Jarno wrote: > On Wed, Apr 07, 2010 at 11:05:28PM +0200, Petr Salinger wrote: > >>> What have to be logged ? > >> Please look at ddb command "show files", implemented in kern/kern_desc= rip.c, > >> lines 3284-3305 on HEAD. Instead of doing full dump, you can manually > >> inspect the output. Or, you can write some code that would search the > >> suspicious vnodes among the vnodes referenced from the processes > >> opened files. Vnode is probably leaked if use count is > 0 but no > >> process has vnode referenced by struct file. > > > > See attached file. > > > >>>> I think there should be something else going on. > > > > Bellow is leaking recipe tested under GNU/kFreeBSD. > > I would expect it leaks vnodes also under plain FreeBSD. > > >=20 > I confirm it is reproducible on plain FreeBSD. Looks like a security > issue, as a normal user can create a local DoS in a few dozen of > seconds. I already posted the following patch in private. diff --git a/sys/kern/tty_pts.c b/sys/kern/tty_pts.c index 5cfbc71..e9dac77 100644 --- a/sys/kern/tty_pts.c +++ b/sys/kern/tty_pts.c @@ -575,6 +575,9 @@ ptsdev_close(struct file *fp, struct thread *td) tty_lock(tp); tty_rel_gone(tp); =20 + if (fp->f_vnode !=3D NULL) + return (vnops.fo_close(fp, td)); + return (0); } --KMh3oH5xaVDeKy7N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAku9ABAACgkQC3+MBN1Mb4gcZQCgvw+nVq4hqszvNwvkK2t7Si89 kg4AoO6hvXVO1/dc4ZpIREzXodTtFznW =sMGS -----END PGP SIGNATURE----- --KMh3oH5xaVDeKy7N--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100407215841.GL2415>