cred: convert the refcount from int to long
On 64-bit platforms this sorts out worries about mitigating bugs which overflow the counter, all while not pessimizng anything -- most notably it avoids whacking per-thread operation in favor of refcount(9) API. The struct already had two instances of 4 byte padding with 256 bytes in size, cr_flags gets moved around to avoid growing it. 32-bit platforms could also get the extended counter, but I did not do it as one day(tm) the mutex protecting centralized operation should be replaced with atomics and 64-bit ops on 32-bit platforms remain quite penalizing. While worries of counter overflow are addressed, the following is not (just like it would not be with conversion to refcount(9)): - counter *underflows* - buffer overruns from adjacent allocations - UAF due to stale cred pointer - .. and other goodies As such, while lipstick was placed, the pig should not be participating in any beauty pageants. Prodded by: emaste Differential Revision: https://reviews.freebsd.org/D39220
This commit is contained in:
parent
21d29c5192
commit
37337709d3
@ -1877,7 +1877,7 @@ crunuse(struct thread *td)
|
||||
__func__, cr->cr_users, cr));
|
||||
cr->cr_users--;
|
||||
if (cr->cr_users == 0) {
|
||||
KASSERT(cr->cr_ref > 0, ("%s: ref %d not > 0 on cred %p",
|
||||
KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
|
||||
__func__, cr->cr_ref, cr));
|
||||
crold = cr;
|
||||
} else {
|
||||
@ -1905,7 +1905,7 @@ crunusebatch(struct ucred *cr, int users, int ref)
|
||||
mtx_unlock(&cr->cr_mtx);
|
||||
return;
|
||||
}
|
||||
KASSERT(cr->cr_ref >= 0, ("%s: ref %d not >= 0 on cred %p",
|
||||
KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
|
||||
__func__, cr->cr_ref, cr));
|
||||
if (cr->cr_ref > 0) {
|
||||
mtx_unlock(&cr->cr_mtx);
|
||||
@ -2051,7 +2051,7 @@ crfree(struct ucred *cr)
|
||||
mtx_unlock(&cr->cr_mtx);
|
||||
return;
|
||||
}
|
||||
KASSERT(cr->cr_ref >= 0, ("%s: ref %d not >= 0 on cred %p",
|
||||
KASSERT(cr->cr_ref >= 0, ("%s: ref %ld not >= 0 on cred %p",
|
||||
__func__, cr->cr_ref, cr));
|
||||
if (cr->cr_ref > 0) {
|
||||
mtx_unlock(&cr->cr_mtx);
|
||||
@ -2066,7 +2066,7 @@ crfree_final(struct ucred *cr)
|
||||
|
||||
KASSERT(cr->cr_users == 0, ("%s: users %d not == 0 on cred %p",
|
||||
__func__, cr->cr_users, cr));
|
||||
KASSERT(cr->cr_ref == 0, ("%s: ref %d not == 0 on cred %p",
|
||||
KASSERT(cr->cr_ref == 0, ("%s: ref %ld not == 0 on cred %p",
|
||||
__func__, cr->cr_ref, cr));
|
||||
|
||||
/*
|
||||
@ -2104,6 +2104,7 @@ crcopy(struct ucred *dest, struct ucred *src)
|
||||
bcopy(&src->cr_startcopy, &dest->cr_startcopy,
|
||||
(unsigned)((caddr_t)&src->cr_endcopy -
|
||||
(caddr_t)&src->cr_startcopy));
|
||||
dest->cr_flags = src->cr_flags;
|
||||
crsetgroups(dest, src->cr_ngroups, src->cr_groups);
|
||||
uihold(dest->cr_uidinfo);
|
||||
uihold(dest->cr_ruidinfo);
|
||||
@ -2210,7 +2211,7 @@ proc_unset_cred(struct proc *p)
|
||||
mtx_lock(&cr->cr_mtx);
|
||||
cr->cr_users--;
|
||||
if (cr->cr_users == 0)
|
||||
KASSERT(cr->cr_ref > 0, ("%s: ref %d not > 0 on cred %p",
|
||||
KASSERT(cr->cr_ref > 0, ("%s: ref %ld not > 0 on cred %p",
|
||||
__func__, cr->cr_ref, cr));
|
||||
mtx_unlock(&cr->cr_mtx);
|
||||
crfree(cr);
|
||||
|
@ -321,7 +321,7 @@ struct thread {
|
||||
int td_errno; /* (k) Error from last syscall. */
|
||||
size_t td_vslock_sz; /* (k) amount of vslock-ed space */
|
||||
struct kcov_info *td_kcov_info; /* (*) Kernel code coverage data */
|
||||
u_int td_ucredref; /* (k) references on td_realucred */
|
||||
long td_ucredref; /* (k) references on td_realucred */
|
||||
#define td_endzero td_sigmask
|
||||
|
||||
/* Copied during fork1(), thread_create(), or kthread_add(). */
|
||||
|
@ -61,8 +61,9 @@ struct loginclass;
|
||||
#if defined(_KERNEL) || defined(_WANT_UCRED)
|
||||
struct ucred {
|
||||
struct mtx cr_mtx;
|
||||
int cr_ref; /* (c) reference count */
|
||||
long cr_ref; /* (c) reference count */
|
||||
u_int cr_users; /* (c) proc + thread using this cred */
|
||||
u_int cr_flags; /* credential flags */
|
||||
struct auditinfo_addr cr_audit; /* Audit properties. */
|
||||
#define cr_startcopy cr_uid
|
||||
uid_t cr_uid; /* effective user id */
|
||||
@ -75,7 +76,6 @@ struct ucred {
|
||||
struct uidinfo *cr_ruidinfo; /* per ruid resource consumption */
|
||||
struct prison *cr_prison; /* jail(2) */
|
||||
struct loginclass *cr_loginclass; /* login class */
|
||||
u_int cr_flags; /* credential flags */
|
||||
void *cr_pspare2[2]; /* general use 2 */
|
||||
#define cr_endcopy cr_label
|
||||
struct label *cr_label; /* MAC label */
|
||||
|
Loading…
Reference in New Issue
Block a user