kern/43025: Non-atomic access to file_t causing corruption

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/43025: Non-atomic access to file_t causing corruption
From: ad%netbsd.org@localhost
Date: Sat, 20 Mar 2010 23:55:00 +0000 (UTC)

>Number:         43025
>Category:       kern
>Synopsis:       Non-atomic access to file_t causing corruption
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 20 23:55:00 +0000 2010
>Originator:     Andrew Doran
>Release:        -current
>Organization:
The NetBSD Project
>Environment:
>Description:
sys_generic.c:

    552         case FIOCLEX:
    553                 ff->ff_exclose = true;
    554                 fdp->fd_exclose = true;
    555                 goto out;
    556         }
    557 

Both fields are boolean (8-bit).  The set is deliberately unlocked as there is 
no need to synchronize with consumers.  On architectures which cannot do atomic 
8-bit writes, there is the potential for corruption adjacent to fields if the 
data structure layouts are modified, as we do not synchronize with 
modifications to adjacent fields within the same 32-bit word.

>How-To-Repeat:
Code inspection.
>Fix:
fd_exclose: make it an 'int'.

ff_exclose: add a comment to file_t structure; ff_allocated will not change 
while the file descriptor is active, so no need to synchronize. be careful with 
adding addition fields within same 32-bit word.  add a comment to sys_ioctl 
indicating that the set is deliberately unlocked, see comment at file_t.

Prev by Date: PR/41813 CVS commit: src/sys
Next by Date: Re: kern/41813 (Real EIO being returned to userland as EFAULT)
Previous by Thread: PR/41813 CVS commit: src/sys
Next by Thread: Re: kern/43025: Non-atomic access to file_t causing corruption
Indexes:

Home | Main Index | Thread Index | Old Index