From owner-svn-src-user@FreeBSD.ORG Mon May 5 20:51:45 2014 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 79409A93; Mon, 5 May 2014 20:51:45 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BB55168D; Mon, 5 May 2014 20:51:44 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id x12so6166946wgg.18 for ; Mon, 05 May 2014 13:51:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=ihQWIVZPRa+t8G1lDIWcEVe/B1e7IwGfaJPLsYV2aRE=; b=rBaGwYtAf7ajtH7UZ0HbwdAuEBqaPcWjiWPteJSV8n/Fe64dAk0R1wZV/qoaGZGkD6 CBO9O6YrcuPBu+uzYvpAxhAxFErFDyWMdklBBAa6Bqzw0csMw+GpzHCK73KsIHp8gKxf Y4nrtVczN5Nv93w1iRJSg2rfHohuF1Ge497puSTkxlqIpFzdTSjz4j55OFckva6uTbYw azkoTgEOntZ6825qB04FuX9ZIbOVJAv/ecrjVGJ/UiINHMZDVMaOoCwZwlupTIOGPsF/ nrdAESSLwZba0o5DyA9C7Ex04Ae46tMQiC2sC2oBQnjTMK+V/FIcKV9YyKOtiSZrBQ/v +mEg== X-Received: by 10.194.200.199 with SMTP id ju7mr294063wjc.77.1399323102433; Mon, 05 May 2014 13:51:42 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id c7sm18647934wjf.19.2014.05.05.13.51.41 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 05 May 2014 13:51:41 -0700 (PDT) Date: Mon, 5 May 2014 22:51:39 +0200 From: Mateusz Guzik To: Chagin Dmitry Subject: Re: svn commit: r265327 - in user/dchagin/lemul/sys: amd64/linux amd64/linux32 compat/linux conf i386/linux modules/linux modules/linux64 Message-ID: <20140505205138.GB17831@dft-labs.eu> References: <201405041559.s44FxWdj053353@svn.freebsd.org> <20140504180749.GA17835@dft-labs.eu> <20140505050204.GA1307@dchagin.static.corbina.net> <20140505153218.GA17831@dft-labs.eu> <20140505202533.GA9747@dchagin.static.corbina.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20140505202533.GA9747@dchagin.static.corbina.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: src-committers@freebsd.org, svn-src-user@freebsd.org X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 20:51:45 -0000 On Tue, May 06, 2014 at 12:25:33AM +0400, Chagin Dmitry wrote: > On Mon, May 05, 2014 at 05:32:18PM +0200, Mateusz Guzik wrote: > > On Mon, May 05, 2014 at 09:02:04AM +0400, Chagin Dmitry wrote: > > > On Sun, May 04, 2014 at 08:07:49PM +0200, Mateusz Guzik wrote: > > > > switch (args->op) { > > > > case LINUX_EPOLL_CTL_MOD: > > > > /* > > > > * We don't memorize which events were set for this FD > > > > * on this level, so just delete all we could have set: > > > > * EVFILT_READ and EVFILT_WRITE, ignoring any errors > > > > */ > > > > error = epoll_delete_all_events(td, epfp, args->fd); > > > > > > > > Again a lookup. > > > > > > > > Whether this particular problem could be used to do something nasty I don't > > > > know, but playing like this is asking for trouble. > > > > > > > > The only solution I see is to modify kqueue functions to accept fps. > > > > > > > > > > reason? to prevent extra fget? or something else? > > > > > > > Having multpiple lookups for the same fd number may lead to different > > fps, which may or may not be used to cause inconsistencies which in turn > > may or may not be exploitable to either crash the kernel or escalate > > privileges. > > > > That said, the concern is that a malicious user could try to work > > something out from this. > > > > Hi, may be enough to keep file ref? > Yeah, just fget what you need and only pass fp around. Note to check that fp->f_type == DTYPE_KQUEUE. So just change kern_kevent to grab fp instead of fd and assert proper fp->f_type. Similarly for other functions grabbing fd instead of fp (if any). -- Mateusz Guzik