Date: Wed, 23 Dec 1998 10:56:20 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Eivind Eklund <eivind@yes.no>, Dag-Erling Smorgrav <des@flood.ping.uio.no>, security@FreeBSD.ORG Subject: Re: cvs commit: src/etc rc.conf Message-ID: <Pine.BSF.3.96.981223105227.19970A-100000@fledge.watson.org> In-Reply-To: <199812230502.VAA11013@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 22 Dec 1998, Matthew Dillon wrote: > > :> capability transfer support in BSD - you pass an fd over a local > :> socket, using SCM_RIGHTS. > :... > : > :The BSD book describes a bug in the mark and sweep garbage collection > :algorithm than can result in file descriptor hijacking or kernel memory > :nasties. Does anyone know if this was ever fixed? (It is discussed in > :the 4.4BSD book in a footnote on the page that discusses SCM_RIGHTS) I > :glanced through the code for a while this summer while I was modifying the > :SCM_ ancillary data passing code to be hookable by an LKM. My goal was to > :... > > I have no idea.... what does the footnote say exactly? Does it give > enough info to point us to a procedure or source file to look at ? Unfortunately, I have no idea. I'm in Washington, DC, and my copy of the 4.4 book is in Pittsburgh--I just recalled it being there in the 4.4 edition and trying to figure out the consequences. From memory, I believe that the issue was that they didn't sweep through descriptors in messages to unix domain sockets in the listen state that might have been queued prior to an accept. As such, the entry in the file table would be garbage collected, but when the file descriptor arrived it would continue to point to that open file entry--which might be a problem in either the case that it now pointed to a different file (hijacking) or to a not-open file. As I didn't have a chance to walk through it in any detail, I'm not sure whether you'd just get a kernel panic, or whether non-denial-of-sevice attacks might be possible. I also was unsure whether it was corrected in lite2. When I get back home this evening, I'll poke through the apropriate kernel source code and see if my recollection is correct--I won't have access to the BSD book again for about two weeks so someone else will have to find the footnote if they are interested. :-) I don't believe the footnote mentions hijacking, but that seems to logically be one of the possible outcomes of the problem. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981223105227.19970A-100000>