Closed Bug 528050 Opened 15 years ago Closed 11 years ago

Improve shmem protection scheme

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: cjones, Assigned: cjones)

References

Details

Currently it looks like

  |[ (magic byes) (Header) (empty) ]|  // front sentinel, no access rights
  |[ user area ...                 ]|
  ...
  |[ last page ]  (empty)           |
  |[ (empty)                       ]|  // back sentinel, no access rights

where | ... | is a memory page, and [ ... ] blocks are "important" space.  Notice that we potentially leave some "unimportant" (empty) space at the end of the user's area.  The user could write into this without penalty, even though that's a buffer overflow.

I think a better scheme would be to fill the (empty) bytes in the front sentinel with 0x5 bytes, and fill the (empty) bytes in the last user page and back sentinel with 0xa (arbitrary choices of 0x5/0xa, could be the same).  When mapping/unmapping/sending/receiving a page, Shmem code would verify the magic bytes, header, and 0x5 and 0xa bytes.  This can potentially catch the aforementioned buffer overflow, and additionally threadsafety errors like fiddling with the shmem segment on another thread while the main thread is mapping/unmapping/verifying.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.