From owner-freebsd-current@FreeBSD.ORG Sat Mar 21 18:19:37 2015 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 42EA39D0; Sat, 21 Mar 2015 18:19:37 +0000 (UTC) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BE2657A5; Sat, 21 Mar 2015 18:19:36 +0000 (UTC) Received: by wixw10 with SMTP id w10so18750726wix.0; Sat, 21 Mar 2015 11:19:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=u7EpBLOHiM/qK5EsYbBnyR8O5JnaCvRVMy8aW8Im8Uw=; b=UpnTojmUmDZHV6xMdzlE5FqgMw3eI12moV+PMRYqgPF9Fcv7i570ge6t4cL0AoxdPB OMASXkhHJBNX4hKmXoC3S3GSTZwvOeXR8ooYRkfM3Gcfz1h0YTDOvar6wT+zoo8sIVXP SgIdVnV6cs8kxJyylHNot3uUoBPUgDX9HXXoH3CBvTxgrOKEgneoB36CvlGM4xtBd6iV h3iQ56KQ5PMnbSaI9yLXcedOu4pLK90qUGX8tll2zddDlAm2HjerV/Ho+8kPMPIQsAJY 9BSiXmtBxsoe4znYHTjrMWexx2KUKOwjfrs+k4w/mmH+PrOU7afOxQmvEPpBySwgA2N7 qpIw== X-Received: by 10.180.103.166 with SMTP id fx6mr5986835wib.4.1426961975171; Sat, 21 Mar 2015 11:19:35 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id n1sm3410366wib.11.2015.03.21.11.19.33 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sat, 21 Mar 2015 11:19:33 -0700 (PDT) Date: Sat, 21 Mar 2015 19:19:31 +0100 From: Mateusz Guzik To: Konstantin Belousov Subject: Re: [PATCH 1/3] fork: assign refed credentials earlier Message-ID: <20150321181931.GA14650@dft-labs.eu> Mail-Followup-To: Mateusz Guzik , Konstantin Belousov , jenkins-admin@freebsd.org, freebsd-current@freebsd.org, Mateusz Guzik References: <20150320122125.GP2379@kib.kiev.ua> <1426899640-6599-1-git-send-email-mjguzik@gmail.com> <1426899640-6599-2-git-send-email-mjguzik@gmail.com> <20150321015151.GF2379@kib.kiev.ua> <20150321015722.GC27736@dft-labs.eu> <20150321141832.GH2379@kib.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20150321141832.GH2379@kib.kiev.ua> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-current@freebsd.org, jenkins-admin@freebsd.org, Mateusz Guzik X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Mar 2015 18:19:37 -0000 On Sat, Mar 21, 2015 at 04:18:32PM +0200, Konstantin Belousov wrote: > On Sat, Mar 21, 2015 at 02:57:22AM +0100, Mateusz Guzik wrote: > > On Sat, Mar 21, 2015 at 03:51:51AM +0200, Konstantin Belousov wrote: > > > On Sat, Mar 21, 2015 at 02:00:38AM +0100, Mateusz Guzik wrote: > > > > From: Mateusz Guzik > > > > > > > > Prior to this change the kernel would take p1's credentials and assign > > > > them tempororarily to p2. But p1 could change credentials at that time > > > > and in effect give us a use-after-free. > > > In which way could it change the credentials ? The assigned credentials > > > are taken from td_ucred, which, I thought, are guaranteed to be stable > > > for the duration of a syscall. > > > > > > > It takes thread's credential in do_fork. But initial copy is taken > > unlocked from struct proc. > > > > Relevant part of the diff: > > > > @@ -870,7 +867,7 @@ fork1(struct thread *td, int flags, int pages, struct proc **procp, > > > > * XXX: This is ugly; when we copy resource usage, we need to bump > > > > * per-cred resource counters. > > > > */ > > > > - proc_set_cred(newproc, p1->p_ucred); > > > > + proc_set_cred(newproc, crhold(td->td_ucred)); > > > > > > I do not understand your note, nor I see the chunk above in the patches > you send. Below is the citation from the patch 1: > > @@ -410,9 +410,6 @@ do_fork(struct thread *td, int flags, struct proc *p2, > +struct thread *td2, > bzero(&p2->p_startzero, > __rangeof(struct proc, p_startzero, p_endzero)); > > - crhold(td->td_ucred); > - proc_set_cred(p2, td->td_ucred); > - fork1 does: proc_set_cred(newproc, p1->p_ucred); p1 is unlocked, so whatever memory p1->p_ucred points to may already be freed. /* * Initialize resource accounting for the child process. */ error = racct_proc_fork(p1, newproc); if (error != 0) { error = EAGAIN; goto fail1; } racct_proc_fork -> racct_add_locked results in accessing such now-possibly-freed credentials. do_fork which properly assigns credentials (from a stable source (td_ucred) + grabs a reference) is called later. The patch in question moves aforementioned assignent earlier to replace unsafe one with p1->p_ucred. -- Mateusz Guzik