NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/43025: Non-atomic access to file_t causing corruption

>Number:         43025
>Category:       kern
>Synopsis:       Non-atomic access to file_t causing corruption
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 20 23:55:00 +0000 2010
>Originator:     Andrew Doran
>Release:        -current
The NetBSD Project

    552         case FIOCLEX:
    553                 ff->ff_exclose = true;
    554                 fdp->fd_exclose = true;
    555                 goto out;
    556         }

Both fields are boolean (8-bit).  The set is deliberately unlocked as there is 
no need to synchronize with consumers.  On architectures which cannot do atomic 
8-bit writes, there is the potential for corruption adjacent to fields if the 
data structure layouts are modified, as we do not synchronize with 
modifications to adjacent fields within the same 32-bit word.

Code inspection.
fd_exclose: make it an 'int'.

ff_exclose: add a comment to file_t structure; ff_allocated will not change 
while the file descriptor is active, so no need to synchronize. be careful with 
adding addition fields within same 32-bit word.  add a comment to sys_ioctl 
indicating that the set is deliberately unlocked, see comment at file_t.

Home | Main Index | Thread Index | Old Index