Re: [patch 0/6] lightweight robust futexes: -V3

From: Ingo Molnar
Date: Thu Feb 16 2006 - 16:26:34 EST

Next message: Ram Gupta: "Re: Kernel bug mm/page_alloc.c"
Previous message: Mark Fasheh: "[git patches] ocfs2 updates"
In reply to: Daniel Walker: "Re: [patch 0/6] lightweight robust futexes: -V3"
Next in thread: Christopher Friesen: "Re: [patch 0/6] lightweight robust futexes: -V3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Daniel Walker <dwalker@xxxxxxxxxx> wrote:

>
> On Thu, 16 Feb 2006, Ingo Molnar wrote:
> >and? You can 'manipulate' arbitrary userspace memory, be that used by
> >the kernel or not, and you can do a sys_futex(FUTEX_WAKE) on any
> >arbitrary userspace memory address too (this is a core property of
> >futexes). You must have meant something specific when you said "on the
> >surface looks like a malicious users dream variable". In other words:
> >please move your statement out of innuendo by backing it up with
> >specifics (or by retracting it) - right now it's hanging in the air :)
>
>
> Sorry I didn't mean to leave something hanging out there. I was
> just making an observation. The 'dream variable' comment was maybe a
> little to much and I'll gladly retract that .. I'll replace it with ,
> I think the code needs more review in that area ..

basically, ->futex_offset is not blindly trusted by the kernel either:
it's simply used to calculate a "userspace pointer" value, which it then
uses in a (secure) get_user() access, to do a FUTEX_WAKEUP. [Note that
FUTEX_WAKEUP is already done at do_exit() time via the ->clear_child_tid
userspace pointer.] All in one: this is totally safe.

The purpose of ->futex_offset is to not hardcode glibc's data structure
layout into the kernel. Since 'clean up after locks' is a relatively
rare operation, it was the prudent thing to do.

We could also have registered the futex_offset in the kernel itself, but
I didnt do it that way because that would add another word to
task_struct (for the sake of an operation that is rare), and it would
also make the sys_set_robust_list() operation a bit more expensive. So I
minimized the API to only take a single userspace pointer, which pointer
points to the robust_list_head structure which contains all data to
continue. That data is never trusted and is handled very carefully.

Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ram Gupta: "Re: Kernel bug mm/page_alloc.c"
Previous message: Mark Fasheh: "[git patches] ocfs2 updates"
In reply to: Daniel Walker: "Re: [patch 0/6] lightweight robust futexes: -V3"
Next in thread: Christopher Friesen: "Re: [patch 0/6] lightweight robust futexes: -V3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]