From owner-freebsd-hackers@FreeBSD.ORG  Fri Oct 10 22:31:26 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id CFCDA16A4B3; Fri, 10 Oct 2003 22:31:26 -0700 (PDT)
Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net
	[66.166.149.50])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id D50DB43F93; Fri, 10 Oct 2003 22:31:25 -0700 (PDT)
	(envelope-from kientzle@acm.org)
Received: from acm.org ([66.166.149.54])
	by kientzle.com (8.12.9/8.12.9) with ESMTP id h9B5VNkX048688;
	Fri, 10 Oct 2003 22:31:23 -0700 (PDT)
	(envelope-from kientzle@acm.org)
Message-ID: <3F8795A9.5020409@acm.org>
Date: Fri, 10 Oct 2003 22:31:21 -0700
From: Tim Kientzle <kientzle@acm.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: kientzle@acm.org
References: <20031008083059.GA520@garage.freebsd.pl>
	<20031008114506.I63940@beagle.fokus.fraunhofer.de>
	<20031008101251.GG6524@saboteur.dek.spc.org> <3F875172.5010309@acm.org>
In-Reply-To: <3F875172.5010309@acm.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: hsu@freebsd.org
cc: rwatson@freebsd.org
cc: freebsd-hackers@freebsd.org
Subject: Re: Dynamic reads without locking.
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: kientzle@acm.org
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Oct 2003 05:31:27 -0000

> Bruce M Simpson wrote:
>>
>> Or keep a generation count to detect pre-emption (the devstat code does
>> this, amongst other things), and try again if you lost the race.

On further inspection, I'm pretty sure that sys/kern/subr_devstat.c
is not correct.

In particular, sysctl_devstat writes out a node's data without
holding the lock.  (I believe this is the whole point of all
the "generation count" machinery.)  It seems possible for
devstat_remove_entry to remove that entry, free the storage, and
have that storage recycled just before it gets written out.

In this particular case, it means random kernel data gets
written out from the kernel to userspace.  (Which in some circles
would be considered a security problem, though it's hard to see
how anyone could possibly exploit it.)

Tim Kientzle