| To: | krb5-bugs@mit.edu |
| Subject: | race opening/creating replay cache. |
| Date: | Mon, 06 Mar 2006 21:44:01 -0500 |
| From: | Roland Dowdeswell <elric@imrryr.org> |
There is a race condition in the creation of the a replay cache,
or the replacement of a corrupt cache. Basically, libraries when
opening a rcache do the following logic:
1. They try to open the file.
a. if the open succeeds
i. if the magic number matches, return success
ii. if not, unlink(2) the file.
2. They try to create the file with O_CREAT|O_EXCL.
3. They write the magic number in it.
Of course, if you have 2 processes doing this there is room for:
There exists a time t s.t. both processes complete (1) before t
and start (2) after t.
In this case, one of them will fail if either the file did not exist or
was malformed---i.e. had the wrong magic number in it.
This can be reproduced by running the following program:
/* $Id$ */
#include <stdio.h>
#include <string.h>
#include <krb5.h>
#define PRINC_NAME "race"
#define K5BAIL(x) do { \
code = (x); \
if (code) { \
fprintf(stderr, "%s: %s\n", #x, \
error_message(code)); \
exit(EXIT_FAILURE); \
} \
} while(0)
/*ARGSUSED*/
int
main(int argc, char **argv)
{
krb5_context ctx;
krb5_error_code code;
krb5_rcache rcache;
krb5_data piece;
piece.data = strdup(PRINC_NAME);
piece.length = strlen(piece.data);
K5BAIL(krb5_init_context(&ctx));
K5BAIL(krb5_get_server_rcache(ctx, &piece, &rcache));
return 0;
}
To reproduce:
1. Run it under gdb(1), set a break point in krb5_rc_io_open(),
2. Step until you unlink the file,
3. Run another copy of the program,
4. continue the first one, and
5. Note that it fails. With the rather unhelpful error
``permission denied''.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
or the replacement of a corrupt cache. Basically, libraries when
opening a rcache do the following logic:
1. They try to open the file.
a. if the open succeeds
i. if the magic number matches, return success
ii. if not, unlink(2) the file.
2. They try to create the file with O_CREAT|O_EXCL.
3. They write the magic number in it.
Of course, if you have 2 processes doing this there is room for:
There exists a time t s.t. both processes complete (1) before t
and start (2) after t.
In this case, one of them will fail if either the file did not exist or
was malformed---i.e. had the wrong magic number in it.
This can be reproduced by running the following program:
/* $Id$ */
#include <stdio.h>
#include <string.h>
#include <krb5.h>
#define PRINC_NAME "race"
#define K5BAIL(x) do { \
code = (x); \
if (code) { \
fprintf(stderr, "%s: %s\n", #x, \
error_message(code)); \
exit(EXIT_FAILURE); \
} \
} while(0)
/*ARGSUSED*/
int
main(int argc, char **argv)
{
krb5_context ctx;
krb5_error_code code;
krb5_rcache rcache;
krb5_data piece;
piece.data = strdup(PRINC_NAME);
piece.length = strlen(piece.data);
K5BAIL(krb5_init_context(&ctx));
K5BAIL(krb5_get_server_rcache(ctx, &piece, &rcache));
return 0;
}
To reproduce:
1. Run it under gdb(1), set a break point in krb5_rc_io_open(),
2. Step until you unlink the file,
3. Run another copy of the program,
4. continue the first one, and
5. Note that it fails. With the rather unhelpful error
``permission denied''.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/