From owner-svn-src-head@FreeBSD.ORG Wed Sep 25 13:37:53 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7E7EAC74; Wed, 25 Sep 2013 13:37:53 +0000 (UTC) (envelope-from attilio@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6BA1C2631; Wed, 25 Sep 2013 13:37:53 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8PDbrbb092441; Wed, 25 Sep 2013 13:37:53 GMT (envelope-from attilio@svn.freebsd.org) Received: (from attilio@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8PDbrOp092440; Wed, 25 Sep 2013 13:37:53 GMT (envelope-from attilio@svn.freebsd.org) Message-Id: <201309251337.r8PDbrOp092440@svn.freebsd.org> From: Attilio Rao Date: Wed, 25 Sep 2013 13:37:53 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r255868 - head/sys/kern X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Sep 2013 13:37:53 -0000 Author: attilio Date: Wed Sep 25 13:37:52 2013 New Revision: 255868 URL: http://svnweb.freebsd.org/changeset/base/255868 Log: Avoid memory accesses reordering which can result in fget_unlocked() seeing a stale fd_ofiles table once fd_nfiles is already updated, resulting in OOB accesses. Approved by: re (kib) Sponsored by: EMC / Isilon storage division Reported and tested by: pho Reviewed by: benno Modified: head/sys/kern/kern_descrip.c Modified: head/sys/kern/kern_descrip.c ============================================================================== --- head/sys/kern/kern_descrip.c Wed Sep 25 02:49:18 2013 (r255867) +++ head/sys/kern/kern_descrip.c Wed Sep 25 13:37:52 2013 (r255868) @@ -1512,12 +1512,20 @@ fdgrowtable(struct filedesc *fdp, int nf memcpy(nmap, omap, NDSLOTS(onfiles) * sizeof(*omap)); /* update the pointers and counters */ - fdp->fd_nfiles = nnfiles; memcpy(ntable, otable, onfiles * sizeof(ntable[0])); fdp->fd_ofiles = ntable; fdp->fd_map = nmap; /* + * In order to have a valid pattern for fget_unlocked() + * fdp->fd_nfiles might be the last member to be updated, otherwise + * fget_unlocked() consumers may reference a new, higher value for + * fdp->fd_nfiles before to access the fdp->fd_ofiles array, + * resulting in OOB accesses. + */ + atomic_store_rel_int(&fdp->fd_nfiles, nnfiles); + + /* * Do not free the old file table, as some threads may still * reference entries within it. Instead, place it on a freelist * which will be processed when the struct filedesc is released. @@ -2308,7 +2316,11 @@ fget_unlocked(struct filedesc *fdp, int int error; #endif - if (fd < 0 || fd >= fdp->fd_nfiles) + /* + * Avoid reads reordering and then a first access to the + * fdp->fd_ofiles table which could result in OOB operation. + */ + if (fd < 0 || fd >= atomic_load_acq_int(&fdp->fd_nfiles)) return (EBADF); /* * Fetch the descriptor locklessly. We avoid fdrop() races by