NetBSD Problem Report #43025

From www@NetBSD.org  Sat Mar 20 23:51:59 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 585DE63B86C
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 20 Mar 2010 23:51:59 +0000 (UTC)
Message-Id: <20100320235159.23EB363B11D@www.NetBSD.org>
Date: Sat, 20 Mar 2010 23:51:59 +0000 (UTC)
From: ad@netbsd.org
Reply-To: ad@netbsd.org
To: gnats-bugs@NetBSD.org
Subject: Non-atomic access to file_t causing corruption
X-Send-Pr-Version: www-1.0

>Number:         43025
>Category:       kern
>Synopsis:       Non-atomic access to file_t causing corruption
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 20 23:55:00 +0000 2010
>Last-Modified:  Mon May 27 03:25:01 +0000 2019
>Originator:     Andrew Doran
>Release:        -current
>Organization:
The NetBSD Project
>Environment:
>Description:
sys_generic.c:

    552 	case FIOCLEX:
    553 		ff->ff_exclose = true;
    554 		fdp->fd_exclose = true;
    555 		goto out;
    556 	}
    557 

Both fields are boolean (8-bit).  The set is deliberately unlocked as there is no need to synchronize with consumers.  On architectures which cannot do atomic 8-bit writes, there is the potential for corruption adjacent to fields if the data structure layouts are modified, as we do not synchronize with modifications to adjacent fields within the same 32-bit word.

>How-To-Repeat:
Code inspection.
>Fix:
fd_exclose: make it an 'int'.

ff_exclose: add a comment to file_t structure; ff_allocated will not change while the file descriptor is active, so no need to synchronize. be careful with adding addition fields within same 32-bit word.  add a comment to sys_ioctl indicating that the set is deliberately unlocked, see comment at file_t.


>Audit-Trail:
From: coypu@sdf.org
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/43025: Non-atomic access to file_t causing corruption
Date: Mon, 27 May 2019 03:21:56 +0000

 The code moved to fd_set_exclose.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.