* [9fans] devproc noteid changing for none
@ 2014-01-02 21:17 cinap_lenrek
2014-01-02 21:22 ` erik quanstrom
0 siblings, 1 reply; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 21:17 UTC (permalink / raw)
To: 9fans
one can change the note group of a process with devproc
by writing noteid file.
case Qnoteid:
id = atoi(a);
if(id == p->pid) {
p->noteid = id;
break;
}
t = proctab(0);
for(et = t+conf.nproc; t < et; t++) {
if(t->state == Dead)
continue;
if(id == t->noteid) {
if(strcmp(p->user, t->user) != 0)
error(Eperm);
p->noteid = id;
break;
}
}
if(p->noteid != id)
error(Ebadarg);
break;
the strcmp() check in that loop isnt enougth when the
user doing the write is "none" as this would allow him
to change the noteid of its process to another "none"
session and and then kill it. like for example to one
of the aux/listen procs.
the rules for "none" user is that he cant open other
processes running as "none" except its own calling
proc.
http://code.google.com/p/plan9front/source/detail?r=118280a79161c8cf42164bcc9458af7650652f91
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 21:17 [9fans] devproc noteid changing for none cinap_lenrek
@ 2014-01-02 21:22 ` erik quanstrom
2014-01-02 21:29 ` cinap_lenrek
2014-01-02 21:32 ` cinap_lenrek
0 siblings, 2 replies; 24+ messages in thread
From: erik quanstrom @ 2014-01-02 21:22 UTC (permalink / raw)
To: 9fans
On Thu Jan 2 16:19:12 EST 2014, cinap_lenrek@felloff.net wrote:
> one can change the note group of a process with devproc
> by writing noteid file.
>
> case Qnoteid:
> id = atoi(a);
> if(id == p->pid) {
> p->noteid = id;
> break;
> }
> t = proctab(0);
> for(et = t+conf.nproc; t < et; t++) {
> if(t->state == Dead)
> continue;
> if(id == t->noteid) {
> if(strcmp(p->user, t->user) != 0)
> error(Eperm);
> p->noteid = id;
> break;
> }
> }
> if(p->noteid != id)
> error(Ebadarg);
> break;
procopen() does nonone for Qnoteid. isn't that enough?
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 21:22 ` erik quanstrom
@ 2014-01-02 21:29 ` cinap_lenrek
2014-01-02 21:32 ` cinap_lenrek
1 sibling, 0 replies; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 21:29 UTC (permalink / raw)
To: 9fans
no, its not. because "none" can indeed open its own noteid file.
nonone makes sure that it cannot open the noteid file of a process
*different* from up when up->user == "none".
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 21:22 ` erik quanstrom
2014-01-02 21:29 ` cinap_lenrek
@ 2014-01-02 21:32 ` cinap_lenrek
2014-01-02 21:35 ` erik quanstrom
1 sibling, 1 reply; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 21:32 UTC (permalink / raw)
To: 9fans
a process running as "none" can only access its own (calling) process.
but noteid write allows it to change the noteid of its own process to
a nother group (also running as none) which allows it to send notes
to that group.
this has to be prevented.
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 21:32 ` cinap_lenrek
@ 2014-01-02 21:35 ` erik quanstrom
2014-01-02 21:41 ` cinap_lenrek
2014-01-02 21:43 ` erik quanstrom
0 siblings, 2 replies; 24+ messages in thread
From: erik quanstrom @ 2014-01-02 21:35 UTC (permalink / raw)
To: 9fans
On Thu Jan 2 16:33:33 EST 2014, cinap_lenrek@felloff.net wrote:
> a process running as "none" can only access its own (calling) process.
>
> but noteid write allows it to change the noteid of its own process to
> a nother group (also running as none) which allows it to send notes
> to that group.
>
> this has to be prevented.
; cd /proc/$pid; pwd
/proc/75189
; cat noteid
76810 ;
; auth/none
; cd /proc/$pid; pwd
/proc/75192
; cat noteid
cat: can't open noteid: 'noteid' permission denied
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 21:35 ` erik quanstrom
@ 2014-01-02 21:41 ` cinap_lenrek
2014-01-02 21:43 ` erik quanstrom
1 sibling, 0 replies; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 21:41 UTC (permalink / raw)
To: 9fans
thats because cat tries to open the noteid file of
your rc shell (running as none). and not the noteid
file of its own process (cat).
static void
nonone(Proc *p)
{
if(p == up)
return;
if(strcmp(up->user, "none") != 0)
return;
if(iseve())
return;
error(Eperm);
}
nonone() is always ok for p == up. in your case, p != up
so it fails (as expected).
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 21:35 ` erik quanstrom
2014-01-02 21:41 ` cinap_lenrek
@ 2014-01-02 21:43 ` erik quanstrom
2014-01-02 21:55 ` cinap_lenrek
1 sibling, 1 reply; 24+ messages in thread
From: erik quanstrom @ 2014-01-02 21:43 UTC (permalink / raw)
To: 9fans
> ; cd /proc/$pid; pwd
> /proc/75189
> ; cat noteid
> 76810 ;
> ; auth/none
> ; cd /proc/$pid; pwd
> /proc/75192
> ; cat noteid
> cat: can't open noteid: 'noteid' permission denied
never mind. different process. how did you find this, anyway?
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 21:43 ` erik quanstrom
@ 2014-01-02 21:55 ` cinap_lenrek
2014-01-02 22:31 ` erik quanstrom
0 siblings, 1 reply; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 21:55 UTC (permalink / raw)
To: 9fans
i was investigating all callers of postnote() for bugs that could
lead to spurious notes like the alarm race i described before. btw
this has been fixed too. the key is to recheck p->alarm while holding
p->debug qlock. once you have it, the process cannot exit under you.
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 21:55 ` cinap_lenrek
@ 2014-01-02 22:31 ` erik quanstrom
2014-01-02 22:47 ` erik quanstrom
2014-01-02 22:53 ` cinap_lenrek
0 siblings, 2 replies; 24+ messages in thread
From: erik quanstrom @ 2014-01-02 22:31 UTC (permalink / raw)
To: 9fans
On Thu Jan 2 16:55:59 EST 2014, cinap_lenrek@felloff.net wrote:
> i was investigating all callers of postnote() for bugs that could
> lead to spurious notes like the alarm race i described before. btw
> this has been fixed too. the key is to recheck p->alarm while holding
> p->debug qlock. once you have it, the process cannot exit under you.
cool. if that's the protocol, doesn't the debug lock need to be held whenever
up->alarm is modified?
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 22:31 ` erik quanstrom
@ 2014-01-02 22:47 ` erik quanstrom
2014-01-02 22:56 ` cinap_lenrek
2014-01-02 22:53 ` cinap_lenrek
1 sibling, 1 reply; 24+ messages in thread
From: erik quanstrom @ 2014-01-02 22:47 UTC (permalink / raw)
To: 9fans
On Thu Jan 2 17:32:08 EST 2014, quanstro@quanstro.net wrote:
> On Thu Jan 2 16:55:59 EST 2014, cinap_lenrek@felloff.net wrote:
> > i was investigating all callers of postnote() for bugs that could
> > lead to spurious notes like the alarm race i described before. btw
> > this has been fixed too. the key is to recheck p->alarm while holding
> > p->debug qlock. once you have it, the process cannot exit under you.
>
> cool. if that's the protocol, doesn't the debug lock need to be held whenever
> up->alarm is modified?
checkalarms will hang during rollover. suppose sys->ticks = 1<<31,
then (long)((1<<31) - 0) = -2147483648. this will stay negative for a
2147483648/HZ seconds.
i think this is necessary:
void
checkalarms(void)
{
Proc *p;
ulong now;
p = alarms.head;
now = sys->ticks;
if(p != nil)
if(p->alarm == 0 || (long)(now - p->alarm) >= 0)
wakeup(&alarmr);
}
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 22:31 ` erik quanstrom
2014-01-02 22:47 ` erik quanstrom
@ 2014-01-02 22:53 ` cinap_lenrek
2014-01-02 22:57 ` erik quanstrom
1 sibling, 1 reply; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 22:53 UTC (permalink / raw)
To: 9fans
no. the debug qlock is so the process wont exit. once you hold it,
the process might be running, might be in the process of exiting
might have been already exited or might have been reused.
the key here is that while you hold it. it wont make it to the
process freelist when not already there. it wont change
from "exiting -> exited". but it wont prevent it from being
reused when it was exited already... but...
pexit() zeros p->alarm. and p->alarm can not be set to non-zero
value again while we hold the alarms qlock in the kproc!
so this actually works.
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 22:53 ` cinap_lenrek
@ 2014-01-02 22:57 ` erik quanstrom
2014-01-02 23:01 ` cinap_lenrek
` (2 more replies)
0 siblings, 3 replies; 24+ messages in thread
From: erik quanstrom @ 2014-01-02 22:57 UTC (permalink / raw)
To: 9fans
On Thu Jan 2 17:54:50 EST 2014, cinap_lenrek@felloff.net wrote:
> no. the debug qlock is so the process wont exit. once you hold it,
> the process might be running, might be in the process of exiting
> might have been already exited or might have been reused.
>
> the key here is that while you hold it. it wont make it to the
> process freelist when not already there. it wont change
> from "exiting -> exited". but it wont prevent it from being
> reused when it was exited already... but...
>
> pexit() zeros p->alarm. and p->alarm can not be set to non-zero
> value again while we hold the alarms qlock in the kproc!
>
> so this actually works.
>
the code says you can set alarm = 0 without holding the alarms lock.
ulong
procalarm(ulong time)
{
Proc **l, *f;
ulong when, old;
if(up->alarm)
old = tk2ms(up->alarm - sys->ticks);
else
old = 0;
if(time == 0) {
>> up->alarm = 0;
>> return old;
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 22:57 ` erik quanstrom
@ 2014-01-02 23:01 ` cinap_lenrek
2014-01-02 23:04 ` erik quanstrom
2014-01-02 23:05 ` cinap_lenrek
2014-01-02 23:09 ` cinap_lenrek
2 siblings, 1 reply; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 23:01 UTC (permalink / raw)
To: 9fans
exactly. but you cannot set it to non-zero value again. which is
what we are interested in to prevent sending the note when the
process has been reused.
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 23:01 ` cinap_lenrek
@ 2014-01-02 23:04 ` erik quanstrom
0 siblings, 0 replies; 24+ messages in thread
From: erik quanstrom @ 2014-01-02 23:04 UTC (permalink / raw)
To: 9fans
On Thu Jan 2 18:02:33 EST 2014, cinap_lenrek@felloff.net wrote:
> exactly. but you cannot set it to non-zero value again. which is
> what we are interested in to prevent sending the note when the
> process has been reused.
it's also important for alarm(0) to complete or not complete. without
holding the lock, alarm(0) can return 0 and then deliver a note!
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 22:57 ` erik quanstrom
2014-01-02 23:01 ` cinap_lenrek
@ 2014-01-02 23:05 ` cinap_lenrek
2014-01-02 23:09 ` cinap_lenrek
2 siblings, 0 replies; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 23:05 UTC (permalink / raw)
To: 9fans
said other. it is ok to send the note when p->alarms is non-zero
while holding the p->debug lock. it might just change to zero
after our check but this is ok. we will send the note but pexit()
will not make it to put the process on the freelist until we
release the debug qlock.
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 22:57 ` erik quanstrom
2014-01-02 23:01 ` cinap_lenrek
2014-01-02 23:05 ` cinap_lenrek
@ 2014-01-02 23:09 ` cinap_lenrek
2014-01-02 23:17 ` cinap_lenrek
2 siblings, 1 reply; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 23:09 UTC (permalink / raw)
To: 9fans
and yes. you can get follow up alarm on alarm(0); when the alarm had
already triggered. this is unavoidable. say, the alarm could'v posted
the note just before you called alarm(0); as well, but the note was
not delivered yet. once the alarm() syscall returns to userspace, it
would pickup the posted note and call the note handler.
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 23:09 ` cinap_lenrek
@ 2014-01-02 23:17 ` cinap_lenrek
2014-01-02 23:28 ` erik quanstrom
0 siblings, 1 reply; 24+ messages in thread
From: cinap_lenrek @ 2014-01-02 23:17 UTC (permalink / raw)
To: 9fans
that said, just holding alarms qlock while setting up->alarm = 0
is not enougth when you want to guarantee that no alarms will be
delivered when the alarm(0) syscall returns. you would also need to
remove a potentially posted alarm note from your note array and
reset up->notepending (all under debug qlock of course).
--
cinap
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 23:17 ` cinap_lenrek
@ 2014-01-02 23:28 ` erik quanstrom
2014-01-03 0:23 ` erik quanstrom
0 siblings, 1 reply; 24+ messages in thread
From: erik quanstrom @ 2014-01-02 23:28 UTC (permalink / raw)
To: 9fans
On Thu Jan 2 18:18:54 EST 2014, cinap_lenrek@felloff.net wrote:
> that said, just holding alarms qlock while setting up->alarm = 0
> is not enougth when you want to guarantee that no alarms will be
> delivered when the alarm(0) syscall returns. you would also need to
> remove a potentially posted alarm note from your note array and
> reset up->notepending (all under debug qlock of course).
that's true. up->nnote is not atomicly incremented. alarm is an
insideous little monster. it looks like a simple interface, but it is not.
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [9fans] devproc noteid changing for none
2014-01-02 23:28 ` erik quanstrom
@ 2014-01-03 0:23 ` erik quanstrom
2014-01-03 0:32 ` cinap_lenrek
0 siblings, 1 reply; 24+ messages in thread
From: erik quanstrom @ 2014-01-03 0:23 UTC (permalink / raw)
To: 9fans
i think the list insertion code needs a single-read
test that f->alarm != 0. to prevent the 0 from
acting like a fencepost. e.g. trying to insert -10 into
list -40 -30 0 -20.
if(alarms.head) {
l = &alarms.head;
for(f = *l; f; f = f->palarm) {
>> fw = f->alarm;
>> if(fw != 0 && (long)(fw - when) >= 0) {
up->palarm = f;
*l = up;
goto done;
}
l = &f->palarm;
}
*l = up;
}
- erik
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2014-01-03 1:31 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-02 21:17 [9fans] devproc noteid changing for none cinap_lenrek
2014-01-02 21:22 ` erik quanstrom
2014-01-02 21:29 ` cinap_lenrek
2014-01-02 21:32 ` cinap_lenrek
2014-01-02 21:35 ` erik quanstrom
2014-01-02 21:41 ` cinap_lenrek
2014-01-02 21:43 ` erik quanstrom
2014-01-02 21:55 ` cinap_lenrek
2014-01-02 22:31 ` erik quanstrom
2014-01-02 22:47 ` erik quanstrom
2014-01-02 22:56 ` cinap_lenrek
2014-01-02 22:53 ` cinap_lenrek
2014-01-02 22:57 ` erik quanstrom
2014-01-02 23:01 ` cinap_lenrek
2014-01-02 23:04 ` erik quanstrom
2014-01-02 23:05 ` cinap_lenrek
2014-01-02 23:09 ` cinap_lenrek
2014-01-02 23:17 ` cinap_lenrek
2014-01-02 23:28 ` erik quanstrom
2014-01-03 0:23 ` erik quanstrom
2014-01-03 0:32 ` cinap_lenrek
2014-01-03 1:16 ` erik quanstrom
2014-01-03 1:23 ` cinap_lenrek
2014-01-03 1:31 ` erik quanstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).