Delivered-To: carpeddiem+freebsd@gmail.com
Received: by 10.107.198.22 with SMTP id w22csp123954iof;
        Fri, 24 Mar 2017 08:57:04 -0700 (PDT)
X-Received: by 10.55.98.144 with SMTP id w138mr7923105qkb.118.1490371024431;
        Fri, 24 Mar 2017 08:57:04 -0700 (PDT)
Return-Path: <owner-tech+M56633=emaste=freebsd.org@openbsd.org>
Received: from mx2.freebsd.org (mx2.freebsd.org. [2001:1900:2254:206a::19:2])
        by mx.google.com with ESMTPS id t89si2255756qtd.130.2017.03.24.08.57.04
        for <carpeddiem+freebsd@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 24 Mar 2017 08:57:04 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning owner-tech+m56633=emaste=freebsd.org@openbsd.org does not designate 2001:1900:2254:206a::19:2 as permitted sender) client-ip=2001:1900:2254:206a::19:2;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning owner-tech+m56633=emaste=freebsd.org@openbsd.org does not designate 2001:1900:2254:206a::19:2 as permitted sender) smtp.mailfrom=owner-tech+M56633=emaste=freebsd.org@openbsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK))
	by mx2.freebsd.org (Postfix) with ESMTPS id BE3D868AD3
	for <carpeddiem+freebsd@gmail.com>; Fri, 24 Mar 2017 15:57:03 +0000 (UTC)
	(envelope-from owner-tech+M56633=emaste=freebsd.org@openbsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 79DBA3C5
	for <carpeddiem+freebsd@gmail.com>; Fri, 24 Mar 2017 15:57:03 +0000 (UTC)
	(envelope-from owner-tech+M56633=emaste=freebsd.org@openbsd.org)
Received: by freefall.freebsd.org (Postfix)
	id C14981079; Fri, 24 Mar 2017 15:57:02 +0000 (UTC)
Delivered-To: emaste@localmail.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK))
	by freefall.freebsd.org (Postfix) with ESMTPS id 7D81B1078
	for <emaste@localmail.freebsd.org>; Fri, 24 Mar 2017 15:57:02 +0000 (UTC)
	(envelope-from owner-tech+M56633=emaste=freebsd.org@openbsd.org)
Received: from openbsd.org (lists.openbsd.org [192.43.244.163])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 827A33C2
	for <emaste@freebsd.org>; Fri, 24 Mar 2017 15:57:01 +0000 (UTC)
	(envelope-from owner-tech+M56633=emaste=freebsd.org@openbsd.org)
Received: from openbsd.org (localhost [127.0.0.1])
	by openbsd.org (OpenSMTPD) with ESMTP id 93a34ed4
	for <emaste@freebsd.org>;
	Fri, 24 Mar 2017 09:57:00 -0600 (MDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20])
	by openbsd.org (OpenSMTPD) with ESMTPS id 936ea902 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO)
	for <tech@openbsd.org>;
	Fri, 24 Mar 2017 09:56:50 -0600 (MDT)
Received: from t430s.bluhm.invalid ([80.154.94.4]) by mail.gmx.com (mrgmx102
 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LuJDv-1c8jIN21vb-011mSr; Fri, 24
 Mar 2017 16:56:48 +0100
Received: from t430s.bluhm.invalid (localhost [127.0.0.1])
	by t430s.bluhm.invalid (8.15.2/8.15.1) with ESMTPS id v2OFuksZ058589
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
	Fri, 24 Mar 2017 16:56:46 +0100 (CET)
Received: (from bluhm@localhost)
	by t430s.bluhm.invalid (8.15.2/8.15.2/Submit) id v2OFukDc058977;
	Fri, 24 Mar 2017 16:56:46 +0100 (CET)
Date: Fri, 24 Mar 2017 16:56:46 +0100
From: Alexander Bluhm <alexander.bluhm@gmx.net>
To: tech@openbsd.org
Subject: sendsyslog file race
Message-ID: <20170324155646.GD6537@t430s.bluhm.invalid>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.8.0 (2017-02-23)
X-Provags-ID: V03:K0:CGrCAv5xU/4qiMG427Rx5bqp2u9saVTe7eRp28v5jDzg7sA3fjY
 swaJpjfjQ/O/ZMxy0NwU3KhENk6Oubdo083bh8omJpN0YHwzaIdMXYg8IBZ8qA7XrKZton+
 sv81glpGeL38aVLEQdryr6OuW3dCt0aua7Rp3bU18OgWxKcDXazpGsfHLUsYiKMQdMdSmn8
 XLaePamDJe21MmE2SARmw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Mcm2dyy4vZ0=:decKiZhYeFKmpOAhW5GV9w
 ul3WF3zyWdbMhNq5npQSCZwsmy1JYQVXzJHRTQip91AZDUe/92Sxg+FSWVaIbJcgbtaJ2OP9m
 I8Liz+fNpD3gN6HSXbMdDsOvSfVzM/6eirODYyO21cV81CfmjPPR2UWOrDBOJnDp2VN/f+mp5
 X4elH/XznkBEKlKXtK/2yVjaeVSnJ+bWN9Jkk1nDd4se1yhvC9LG2/tGoOmGkIW8xBJcApmGa
 CoB/qprUB0acpfeWQrPWzVr9mvEPIa1UWH/xQmof4kRF9YBtxw+A7nlVqI0nwb2/0U8/V/eIo
 fA4n2ZOvpla4HpPxsarAXu1s8l8MSIpkApdmK6lPG3ZO2ShCfYEn2QMPD2eQHUabFXtSl+x3m
 feCNT94Q4IR+n03CiEwf5Vkyued3nxXkaZY+eX151xtB/3s2y72RgfJHCrKJylpm4eUP890RY
 qUf/YWIGzMWn2CWX2THFMkdoCP8UsahRhqGA3yyREveyMnlhWh+2MNP5IwCqrm5/PgISPIFeX
 ipewm0DTGwJVZz6xb90BnksBDfBQ2RrNMnRgWtknPt0RAFfYB88AyQnhp0NCethdeYfQ1pnJ/
 hWszzfPLCMPep3DLO6WBScYaHHhqAZNmVHfgyGwF/SreiNtRmZYlLNM/FR+fDS2OYlolpe2HF
 M8B6XVOGxPHI8uVA37+UwI3940pbabQpCf4ElAI+peZBOA0cPY4mj0eixoxCeLLq02qC/t80S
 Ra574DEKJZmHdV9zuw9CG+7hnOOVBr7O2Kj18pWxWdit6RyGwM9YIVaLt14=
List-Help: <mailto:majordomo@openbsd.org?body=help>
List-ID: <tech.openbsd.org>
List-Owner: <mailto:owner-tech@openbsd.org>
List-Post: <mailto:tech@openbsd.org>
List-Subscribe: <mailto:majordomo@openbsd.org?body=sub%20tech>
List-Unsubscribe: <mailto:majordomo@openbsd.org?body=unsub%20tech>
X-Loop: tech@openbsd.org
Precedence: list
Sender: owner-tech@openbsd.org

Hi,

There is a race in dosendsyslog() which resulted in a crash on a
5.9 system.  sosend(syslogf->f_data, ...) was called with a NULL
pointer.  So syslogf is not NULL, f_data is NULL and f_count is 1.

The file structure is ref counted, but the global variable syslogf
is not protected.  So it may change during sleep and dosendsyslog()
possibly uses a different socket at each access.

My crash happend during a reboot when init(8) is killing syslogd(8)
and some sort of super daemon tries to restart it constantly.
Although this design is questionable, it helps finding kernel bugs :-)

Solution is to access syslogf ony once, use a local copy, and do
the ref counting there.

ok?

bluhm

Index: kern/subr_log.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/kern/subr_log.c,v
retrieving revision 1.48
diff -u -p -r1.48 subr_log.c
--- kern/subr_log.c	23 Jun 2016 15:41:42 -0000	1.48
+++ kern/subr_log.c	24 Mar 2017 15:31:49 -0000
@@ -409,14 +409,17 @@ dosendsyslog(struct proc *p, const char 
 	struct iovec *ktriov = NULL;
 	int iovlen;
 #endif
+	struct file *fp;
 	char pri[6], *kbuf;
 	struct iovec aiov;
 	struct uio auio;
 	size_t i, len;
 	int error;
 
-	if (syslogf)
-		FREF(syslogf);
+	/* Global variable syslogf may change during sleep, use local copy. */
+	fp = syslogf;
+	if (fp)
+		FREF(fp);
 	else if (!ISSET(flags, LOG_CONS))
 		return (ENOTCONN);
 	else {
@@ -467,8 +470,8 @@ dosendsyslog(struct proc *p, const char 
 #endif
 
 	len = auio.uio_resid;
-	if (syslogf) {
-		error = sosend(syslogf->f_data, NULL, &auio, NULL, NULL, 0);
+	if (fp) {
+		error = sosend(fp->f_data, NULL, &auio, NULL, NULL, 0);
 		if (error == 0)
 			len -= auio.uio_resid;
 	} else if (constty || cn_devvp) {
@@ -515,8 +518,8 @@ dosendsyslog(struct proc *p, const char 
 		free(ktriov, M_TEMP, iovlen);
 	}
 #endif
-	if (syslogf)
-		FRELE(syslogf, p);
+	if (fp)
+		FRELE(fp, p);
 	else
 		error = ENOTCONN;
 	return (error);