Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Mar 2014 00:52:47 -0700 (PDT)
From:      Don Lewis <truckman@FreeBSD.org>
To:        mjguzik@gmail.com
Cc:        src-committers@FreeBSD.org, mjg@FreeBSD.org, svn-src-all@FreeBSD.org, svn-src-head@FreeBSD.org, davidxu@FreeBSD.org, kostikbel@gmail.com
Subject:   Re: svn commit: r263755 - head/sys/kern
Message-ID:  <201403290752.s2T7qldY012467@gw.catspoiler.org>
In-Reply-To: <20140329041441.GD29296@dft-labs.eu>

next in thread | previous in thread | raw e-mail | index | archive | help
On 29 Mar, Mateusz Guzik wrote:
> On Sat, Mar 29, 2014 at 11:52:09AM +0800, David Xu wrote:
>> >If fsetown handling like this is insecure this would bite us in that
>> >scenario (and few others). In short, if we can avoid giving another way
>> >to corrupt stuff in the kernel to userspace, we should.
>> >
>> I can not see what you said, where is the security problem with fsetown ?
>> if you have per-jail instance of devsoftc, they all are operating on their
>> own instance. but I don't think this patch should address jail now, there
>> are many things are not jail ready.
>> 
> 
> I asked if multpiple concurrent calls to fsetown(.., &pointer) could
> result in some corruption in the kernel - if they could, we would have a
> problem in the future.
>
> I decided to read the code once more and fsetown seems to be safe in
> this regard after all and with that in mind the patch looks good to me.
 

The fsetown() implementation does sufficient locking to prevent the
kernel from getting into a bad state.  The issue is that the device can
only have at most one owner (which may be a process group).  If multiple
processes are allowed to open the device, or if a process that opened
the device shares the descriptor with another process, the last call to
fsetown() wins.  That means that one process could steal ownership from
another if they both have the same device open.

The reason that I suggested checking ownership when handling FIOASYNC is
that in the case of two processes sharing access to a device, there is
currently nothing that prevents a non-owner of the device from enabling
this mode and causing SIGIO signals to be sent to the owner, which might
not be expecting to receive them.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403290752.s2T7qldY012467>