Re: Change in functionality of futex() system call.

[Andrew Lutomirski]

On Tue, Jun 7, 2011 at 3:01 PM, Darren Hart <dvhart@xxxxxxxxxxxxxxx> wrote:
>>> If a group of cooperating processes uses a memory segment to exchange
>>> critical information, do you really think this memory segment will be
>>> readable by other unrelated processes on the machine ?
>>
>> Depends on the design.
>>
>> I have some software I'm working on that uses shared files and could
>> easily use futexes.  I don't want random read-only processes to
>> interfere with the futex protocol.
>
>
> So don't use world readable files.

...which prevents people from *reading* them, which was the whole point.

>
>
>>>
>>> How is this related to futex code ?
>>
>> Because this usage is currently safe and would become unsafe with the
>> proposed change.
>>
>>>
>>> Same problem for legacy IPC (shm, msg, sem) : Appropriate protections
>>> are needed, obviously.
>>>
>>> BTW, kernel/futex.c uses a global hash table (futex_queues[256]) and a
>>> very predictable hash_futex(), so its easy to slow down futex users...
>>
>> There's a difference between slowing down users by abusing a kernel
>> hash and deadlocking users by eating a wakeup.  (If you eat a wakeup
>> the wakeup won't magically come back later.  It's gone.)
>
> That's the nature of SHARED, you have to protect the mapping independent
> of the futex mechanism.

Well... it used to mean you have to protect from untrusted RW users.
Now it will mean you have to protect from untrusted RO users.

AFAICT sys_futex will become the only way that a user with RO access
to a file can actually interfere with the owner of the file (as
opposed to just learning information).

Why do we need this change again?

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/