From nobody Wed Sep 04 20:29:49 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzYy5682pz5VKcT; Wed, 04 Sep 2024 20:29:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzYy54j0nz4JZQ; Wed, 4 Sep 2024 20:29:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725481789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KklAbJcYelKzN4WCYTtDnIkVDctr1lt8/uiGKWxeFZc=; b=pABwo2+wD5C1SihShvTr02hBz6MlMTuGrOHeCNL5jUNJyLeJuoH1HZnLO78S+yr/2krBHZ N0fovl6mC7acVkXHCFNr0dfUkKiS1mZAQMf0FZq3zF9bg2DzyYswYd++PcfRKPC+f3DQmQ gRtYsKxzq8LbfVl3r04ZmTy4Xei9qD25JkDUr2FByf2cradu97kbKtPfDwCzW556cEWdnW XDLAUqQruN4h2Z2rpQpysJ+Ft2YzPxFG36c538Mi+0J7mVThEEeUSyH0ie5rbrFOdKSh+E wmKypjbR0VXHcetJEb8RnVLziIZVwbXlupM0Px07kg88rABVCrrAV9FNgOEnLA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725481789; a=rsa-sha256; cv=none; b=nY5/5dWCO1/NjolhsKqYWQoQYUH7SsVHeQOVbfNkmbeQhwQh6PbV5Ea2rod7nwzUP8+S3+ gwwMYEttbe3zYwosZUKS10dNfqRogFsPHlRnlQSq7tbnaossSqB9ZMwq4m/Hi4txHh7JXn GacfgOA9yaOE/QQOnzxG607a6TS1oowOHpEIbipNNVrct224bRY4bzXT4qlXyDmtKr4ag/ eJYr2yil5pO8fLbUfOffMsPS3CIiw6CT+d/bI6o30C0GWyqnYG/PaHZOjmKenKgQh0LTlS 6F4eCgBmNkz+ECXQLsFjUom5qHxo26AruT8MQdQtUYztdVJOJZKK2xUnC1p2DQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725481789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KklAbJcYelKzN4WCYTtDnIkVDctr1lt8/uiGKWxeFZc=; b=jY0eR1JFEXeXvaJYElyj9cD73FIyNm/A9I8SKo7rJ8Szmtff0JNC6n8bXSXJzCcA5f2+u2 YO7GkImjH9l4XAI+pKv/qspjjunJQQjeTIdwFXZuX7UfdvXcH9UpzJkRf0Yk+JmyT6yH7j 4xmOttnSLTA/11ju9j8AUzMcuEIMq1ddYYILyWvXUF5HDhzn0H8gDWRcKYem4CZpluSE8m pTNazqREyB7vxUEMqa7mtpDIr0fF35zZl7kLc9xlh49GJOWnSCUKAOcA2Adn2Ji3DkHQpn 3K/PE+dVnuGBpLJCLMvLrW0CddTEIBxkUPHPyF6s5ICmb7hKoxHaBEXSIju0XQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzYy54KRkzfkQ; Wed, 4 Sep 2024 20:29:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 484KTn2N082904; Wed, 4 Sep 2024 20:29:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 484KTnZw082901; Wed, 4 Sep 2024 20:29:49 GMT (envelope-from git) Date: Wed, 4 Sep 2024 20:29:49 GMT Message-Id: <202409042029.484KTnZw082901@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: aba74e58f757 - releng/13.3 - umtx: shm: Prevent reference counting overflow List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.3 X-Git-Reftype: branch X-Git-Commit: aba74e58f757b3cdfd63cc1d0e4b877c0355e9a2 Auto-Submitted: auto-generated The branch releng/13.3 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=aba74e58f757b3cdfd63cc1d0e4b877c0355e9a2 commit aba74e58f757b3cdfd63cc1d0e4b877c0355e9a2 Author: Olivier Certner AuthorDate: 2024-09-04 14:38:12 +0000 Commit: Ed Maste CommitDate: 2024-09-04 20:29:29 +0000 umtx: shm: Prevent reference counting overflow This hardens against provoked use-after-free occurences should there be reference counting leaks in the future (which is currently not the case). At the deepest level, umtx_shm_find_reg_unlocked() now returns EOVERFLOW when it cannot grant an additional reference to the registry object, and so will umtx_shm_find_reg(). umtx_shm_create_reg() will fail if calling umtx_shm_find_reg() returns EOVERFLOW (meaning a SHM object for the passed key already exists, but we can't acquire another reference on it), avoiding the creation of a duplicate registry entry for a given key (this wouldn't pose problem for the rest of the code in its current form, but is expressly avoided for intelligibility and hardening purposes). Since umtx_shm_find_reg*(), and consequently the whole _umtx_op() system call, can only return EOVERFLOW on such a bug manifesting, we don't document that return value. Reviewed by: kib, emaste Approved by: emaste (mentor) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46126 (cherry picked from commit c3e6dfe55c0e81d0717b0458bc95128384c3ebe8) (cherry picked from commit b20ae160872071fc20e5dde27051792177057fa5) (cherry picked from commit 8cf43dcd3db6f02f8dc3f0aa23965db107190789) Approved by: so --- sys/kern/kern_umtx.c | 76 +++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 54 insertions(+), 22 deletions(-) diff --git a/sys/kern/kern_umtx.c b/sys/kern/kern_umtx.c index 7f13dd80080a..47fb595f433f 100644 --- a/sys/kern/kern_umtx.c +++ b/sys/kern/kern_umtx.c @@ -4330,8 +4330,17 @@ umtx_shm_reg_delfree_tq(void *context __unused, int pending __unused) static struct task umtx_shm_reg_delfree_task = TASK_INITIALIZER(0, umtx_shm_reg_delfree_tq, NULL); -static struct umtx_shm_reg * -umtx_shm_find_reg_locked(const struct umtx_key *key) +/* + * Returns 0 if a SHM with the passed key is found in the registry, in which + * case it is returned through 'oreg'. Otherwise, returns an error among ESRCH + * (no corresponding SHM; ESRCH was chosen for compatibility, ENOENT would have + * been preferable) or EOVERFLOW (there is a corresponding SHM, but reference + * count would overflow, so can't return it), in which case '*oreg' is left + * unchanged. + */ +static int +umtx_shm_find_reg_locked(const struct umtx_key *key, + struct umtx_shm_reg **const oreg) { struct umtx_shm_reg *reg; struct umtx_shm_reg_head *reg_head; @@ -4351,22 +4360,34 @@ umtx_shm_find_reg_locked(const struct umtx_key *key) ("reg %p refcnt 0 onlist", reg)); KASSERT((reg->ushm_flags & USHMF_LINKED) != 0, ("reg %p not linked", reg)); + /* + * Don't let overflow happen, just deny a new reference + * (this is additional protection against some reference + * count leak, which is known not to be the case at the + * time of this writing). + */ + if (__predict_false(reg->ushm_refcnt == UINT_MAX)) + return (EOVERFLOW); reg->ushm_refcnt++; - return (reg); + *oreg = reg; + return (0); } } - return (NULL); + return (ESRCH); } -static struct umtx_shm_reg * -umtx_shm_find_reg(const struct umtx_key *key) +/* + * Calls umtx_shm_find_reg_unlocked() under the 'umtx_shm_lock'. + */ +static int +umtx_shm_find_reg(const struct umtx_key *key, struct umtx_shm_reg **const oreg) { - struct umtx_shm_reg *reg; + int error; mtx_lock(&umtx_shm_lock); - reg = umtx_shm_find_reg_locked(key); + error = umtx_shm_find_reg_locked(key, oreg); mtx_unlock(&umtx_shm_lock); - return (reg); + return (error); } static void @@ -4466,11 +4487,18 @@ umtx_shm_create_reg(struct thread *td, const struct umtx_key *key, struct ucred *cred; int error; - reg = umtx_shm_find_reg(key); - if (reg != NULL) { - *res = reg; - return (0); + error = umtx_shm_find_reg(key, res); + if (error != ESRCH) { + /* + * Either no error occured, and '*res' was filled, or EOVERFLOW + * was returned, indicating a reference count limit, and we + * won't create a duplicate registration. In both cases, we are + * done. + */ + return (error); } + /* No entry, we will create one. */ + cred = td->td_ucred; if (!chgumtxcnt(cred->cr_ruidinfo, 1, lim_cur(td, RLIMIT_UMTXP))) return (ENOMEM); @@ -4484,12 +4512,20 @@ umtx_shm_create_reg(struct thread *td, const struct umtx_key *key, return (error); } mtx_lock(&umtx_shm_lock); - reg1 = umtx_shm_find_reg_locked(key); - if (reg1 != NULL) { + /* Re-lookup as 'umtx_shm_lock' has been temporarily released. */ + error = umtx_shm_find_reg_locked(key, ®1); + switch (error) { + case 0: mtx_unlock(&umtx_shm_lock); umtx_shm_free_reg(reg); *res = reg1; return (0); + case ESRCH: + break; + default: + mtx_unlock(&umtx_shm_lock); + umtx_shm_free_reg(reg); + return (error); } TAILQ_INSERT_TAIL(&umtx_shm_registry[key->hash], reg, ushm_reg_link); LIST_INSERT_HEAD(USHM_OBJ_UMTX(key->info.shared.object), reg, @@ -4560,13 +4596,9 @@ umtx_shm(struct thread *td, void *addr, u_int flags) if (error != 0) return (error); KASSERT(key.shared == 1, ("non-shared key")); - if ((flags & UMTX_SHM_CREAT) != 0) { - error = umtx_shm_create_reg(td, &key, ®); - } else { - reg = umtx_shm_find_reg(&key); - if (reg == NULL) - error = ESRCH; - } + error = (flags & UMTX_SHM_CREAT) != 0 ? + umtx_shm_create_reg(td, &key, ®) : + umtx_shm_find_reg(&key, ®); umtx_key_release(&key); if (error != 0) return (error);