[PATCH] Improve talloc security

Andrew Bartlett abartlet at samba.org
Mon Feb 23 19:31:54 MST 2015 

On Mon, 2015-02-23 at 18:24 -0800, Jeremy Allison wrote:
> On Tue, Feb 24, 2015 at 03:03:34PM +1300, Andrew Bartlett wrote:
> > On Mon, 2015-02-23 at 17:30 -0800, Jeremy Allison wrote:
> > > 
> > > Problem with this I can see is it makes talloc *more* MT-unsafe
> > > when used without the TALLOC_FREE_FILL environment variable,
> > > and without talloc_enable_null_tracking().
> > > 
> > > I know it's a small race condition on initialization but
> > > eventually all these things add up.
> > 
> > Indeed, I can see this might be an issue.  libbsd hit the same thing
> > here trying to play around with the global environ[] to implement
> > setproctitle:
> > 
> > http://cgit.freedesktop.org/libbsd/commit/?id=c5b959028734ca2281250c85773d9b5e1d259bc8
> > 
> > https://bugs.freedesktop.org/show_bug.cgi?id=66679
> > 
> > In short, we can already be in threads when we are in the library init,
> > if we are invoke for the first time by dlopen(). 
> > 
> > But the above is racing against other parts of the system that can see
> > and use environ[].  What I don't really see is how we get init() to run
> > twice, because dlopen() will only load a library once (otherwise we
> > would be in bigger trouble).  
> > 
> > In any case, dropping the rand() patch would avoid that part of the
> > issue, as it would be deterministic.  I still don't see the race, but I
> > understand why it raised red flags for you.
> 
> Never mind, I initially missed we're in the contructor
> when that gets run (obviously completely ignored the
> first patch which explicitly checks the platform supports
> running constructors :-) which should mean we're safe there.

I currently have a fallback for the non-constructor case, but I'm happy
to remove it, and make it either fail to build or not support this
feature instead. 

> In fact it might be better to move the TALLOC_FREE_FILL
> code also into a library constructor (if we're adding
> one) in order to remove one of the races we already
> have with MT-code.

That sounds like a good idea.  It also removes a branch from the hot
path.  (talloc_free() is a really, really hot path). 

Andrew Bartlett

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list