From nobody@FreeBSD.ORG Mon May 10 12:05:56 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id E169315C21; Mon, 10 May 1999 12:05:49 -0700 (PDT)
Message-Id: <19990510190549.E169315C21@hub.freebsd.org>
Date: Mon, 10 May 1999 12:05:49 -0700 (PDT)
From: will@iki.fi
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: File descriptor table sharing is broken
X-Send-Pr-Version: www-1.0

>Number:         11629
>Category:       kern
>Synopsis:       File descriptor table sharing is broken
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    dillon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 10 12:10:01 PDT 1999
>Closed-Date:    Mon Nov 27 11:56:44 PST 2000
>Last-Modified:  Mon Nov 27 11:58:18 PST 2000
>Originator:     Ville-Pertti Keinonen
>Release:        Should affect all FreeBSD versions since 2.2.x, verified to cause problems on 3.0, 3.1 and 4.0-current
>Organization:
>Environment:
Not relevant
>Description:
Shared file descriptor tables (created by rfork and aio) are not
properly supported, there is no protection against file descriptor
allocation races, accessing uninitialized files or closing files from
under blocked operations.

This can cause accesses to unallocated memory, deadlocks and panics.

A more detailed description is included in a tarball available at
http://www.hut.fi/~will/freebsd_fdtabsh1.tar.gz
>How-To-Repeat:
Examples are included in the tarball.
>Fix:
A patch is also included in the tarball.

>Release-Note:
>Audit-Trail:

From: Ville-Pertti Keinonen <will@iki.fi>
To: freebsd-gnats-submit@freebsd.org
Cc: will@iki.fi, imp@harmony.village.org, cmsedore@mailbox.syr.edu
Subject: Re: kern/11629: File descriptor table sharing is broken
Date: Mon, 05 Jul 1999 10:45:09 +0300

 An updated, much more complete patch is available at
 http://www.hut.fi/~will/freebsd_fdtabsh2.diff (against -current from
 last week).
 
 The new patch is quite large, but I'm fairly certain that it fixes most
 cases.
 
 I've Cc'd people who have tested the old patch.
 
Responsible-Changed-From-To: freebsd-bugs->dillon 
Responsible-Changed-By: dillon 
Responsible-Changed-When: Sun Oct 29 10:01:04 PST 2000 
Responsible-Changed-Why:  
I'm working up a patch set to fix the file descriptor races.  The problem 
is even more severe then originally reported ... things like ioctl can blow 
up too. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=11629 
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Mon Nov 27 11:56:44 PST 2000 
State-Changed-Why:  

Fixes have been applied to -stable and -current.  They aren't perfect, we 
do not yet encapsulate the descriptor table lookup + hold function, but  
they do solve the problem.  A proper fix will be done later. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=11629 
>Unformatted:
