Page MenuHomeFreeBSD
Differential D35303

unix/dgram: smart socket buffers for one-to-many sockets
ClosedPublic
Actions

Authored by glebius on May 23 2022, 9:02 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 5, 10:42 AM
Unknown Object (File)
Fri, Apr 5, 10:42 AM
Unknown Object (File)
Fri, Apr 5, 10:42 AM
Unknown Object (File)
Fri, Apr 5, 10:42 AM
Unknown Object (File)
Fri, Apr 5, 10:42 AM
Unknown Object (File)
Fri, Apr 5, 10:42 AM
Unknown Object (File)
Fri, Apr 5, 10:41 AM
Unknown Object (File)
Fri, Apr 5, 10:41 AM
View All 97 Files
Subscribers
imp
pauamma_gundo.com

Details

Reviewers
markj
pauamma_gundo.com
Group Reviewers
network
transport
manpages
Commits
rG458f475df8e5: unix/dgram: smart socket buffers for one-to-many sockets
Summary

A one-to-many unix/dgram socket is a socket that has been bound
with bind(2) and can get multiple connections. A typical example
is /var/run/log bound by syslogd(8) and receiving multiple
connections from libc syslog(3) API. Until now all of these
connections shared the same receive socket buffer of the bound
socket. This made the socket vulnerable to overflow attack.
See 240d5a9b1ce for a historical attempt to workaround the problem.

This commit creates a per-connection socket buffer for every single
connected socket and eliminates the problem. The new behavior will
optimize seldom writers over frequent writers. See added test case
scenarios and code comments for more detailed description of the
new behavior.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 45887
Build 42775: arc lint + arc unit

Event Timeline

glebius created this revision.May 23 2022, 9:02 PM
Herald added a subscriber: imp. · View Herald TranscriptMay 23 2022, 9:02 PM
glebius requested review of this revision.May 23 2022, 9:02 PM
Harbormaster completed remote builds in B45684: Diff 106302.May 23 2022, 9:02 PM
glebius added a parent revision: D35302: unix/dgram: reduce mbuf chain traversals in send(2) and recv(2).May 23 2022, 9:02 PM
glebius added a child revision: D35305: libc/syslog: deprecate use of "/var/run/logpriv".May 23 2022, 9:07 PM
glebius added reviewers: network, markj.May 23 2022, 9:13 PM
glebius added a comment.May 23 2022, 9:22 PM

This patch is the final patch in the stack that starts at D35293 and this one achieves the final goal. The intermediate patches pass all tests, but should be considered as intermediate patches during review. The later changes to libc in D35305 depend on kernel functionality achieved by this patch. The whole branch can be viewed at https://github.com/glebius/FreeBSD/commits/unix-dgram

glebius mentioned this in D35294: unix/dgram: cleanup uipc_send of PF_UNIX/SOCK_DGRAM, step 1.May 23 2022, 9:24 PM
glebius mentioned this in D35295: unix/dgram: cleanup uipc_send of PF_UNIX/SOCK_DGRAM, step 2.
glebius mentioned this in D35296: unix/dgram: add a specific receive method - uipc_soreceive_dgram.
glebius mentioned this in D35297: unix/dgram: inline sbappendaddr_locked() into uipc_sosend_dgram().
glebius mentioned this in D35298: unix: provide an option to return locked from unp_connectat().
glebius mentioned this in D35299: sockets: enable protocol specific socket buffers.
glebius mentioned this in D35300: unix/dgram: use minimal possible socket buffer for PF_UNIX/SOCK_DGRAM.
glebius mentioned this in D35302: unix/dgram: reduce mbuf chain traversals in send(2) and recv(2).
glebius mentioned this in D35293: unix/dgram: add a specific send method - uipc_sosend_dgram().
glebius added a comment.May 23 2022, 9:30 PM

Other important note. This work seems to be dedicated to unix/dgram only, but it actually opens opportunities to other protocols. After this change, the only generic datagram socket left would be UDP, which means that UDP can make sosend_dgram()/soreceive_dgram() its private methods and optimize them. After that step the classic sockbuf would support only stream data, and then sosend_generic()/soreceive_generic() can be optimized to support only stream data. The SCTP which already does its private implementation of socket buffers as a hack can also use now generic feature.

glebius added a reviewer: transport.May 28 2022, 3:46 AM
glebius updated this revision to Diff 106494.May 31 2022, 3:52 AM

Rebase

Harbormaster completed remote builds in B45781: Diff 106494.May 31 2022, 3:52 AM
glebius updated this revision to Diff 106589.Jun 3 2022, 2:24 AM

Rebase

Harbormaster completed remote builds in B45829: Diff 106589.Jun 3 2022, 2:24 AM
glebius updated this revision to Diff 106636.Jun 4 2022, 7:14 PM

Maintain overall sb_acc + sb_ccc on the receive socket buffer so that
generic socket event code works.

This could be a temporary thing, and eventually this code shall be
protocol specific, too. But let's make the very first protocol specific
socket buffer implementation less disruptive.

Harbormaster completed remote builds in B45853: Diff 106636.Jun 4 2022, 7:14 PM
markj added a comment.Jun 6 2022, 1:56 PM

I suspect the feature should be documented in unix.4 somehow. Users writing application software regularly get confused by PF_UNIX socket buffer limits, etc., so perhaps we should add a new section which tries to describe the precise behaviour of each type of socket with respect to socket buffer limits and sizing.

sys/kern/uipc_usrreq.c
537

The assignment sendspace = unpdg_recvspace looks incorrect, so I'd suggest adding a comment explaining why it's correct.

1148

Add some assertions to check for underflow?

1342

The term "temporary connected" isn't actually used anywhere.

Consider adding a boolean flag variable instead of using addr == NULL to test for a connected sender.

1345
1348
1349
1355

I think some note on socket buffer locking is useful here. In particular, a connected sender's send buffer is synchronized by the receiver's receive buffer mutex, not by the sender's send buffer mutex.

1373

There are several places where uxdg_{cc,ctl,mbcnt} are adjusted by some deltas, IMHO it'd be cleaner to introduce a subroutine for that which can check for overflow etc.

2203
2205
glebius updated this revision to Diff 106688.Jun 6 2022, 8:42 PM
glebius marked 5 inline comments as done.
  • Comment adds and fixes.
  • Couple assertions.
  • update unix(4)
Herald added a reviewer: manpages. · View Herald TranscriptJun 6 2022, 8:42 PM
Harbormaster completed remote builds in B45872: Diff 106688.Jun 6 2022, 8:42 PM
glebius added inline comments.Jun 6 2022, 8:42 PM
sys/kern/uipc_usrreq.c
1342

The term isn't used, but it is 100% truth :) Through the lifetime of the actual sending part of this function both sockets are connected, and if you take a snapshot of memory, you won't be able to tell truly connected sockets with a sockets that are now in uipc_sosend_dgram(). This is also the reason why there is no bool connected = (addr != NULL), because through the function course they always are connect. I used to have this bool in earlier version, and then wiped it out.

I will try to improve wording in this comment.

1355

There is such comments in the structure definition in sockbuf.h

1373

There are several places where uxdg_{cc,ctl,mbcnt} are adjusted by some deltas, IMHO it'd be cleaner to introduce a subroutine for that which can check for overflow etc.

Well, generic socket code doesn't have this.

sys/sys/sockbuf.h
142

Typo

glebius updated this revision to Diff 106706.Jun 7 2022, 1:13 AM

Rebase

Harbormaster completed remote builds in B45887: Diff 106706.Jun 7 2022, 1:13 AM
glebius updated this revision to Diff 106710.Jun 7 2022, 5:31 AM

Fix leak in unp_disconnect(). Rewrite the added code to be more clear.

Harbormaster completed remote builds in B45890: Diff 106710.Jun 7 2022, 5:31 AM
markj added inline comments.Jun 9 2022, 6:54 PM
share/man/man4/unix.4
399
411

"... sockets of type SOCK_DGRAM are unreliable ..."

414
418

I think some further explanation of socket buffer accounting would be useful. My understanding of the implementation is,

  1. for unconnected sends, the receiving socket's receive buffer limit applies,
  2. for connected sends, the sending socket's send buffer limit applies.

The aim is to provide some initial guidance for a programmer confused by ENOBUFS from a send() call.

I'd be ok adding this as a separate commit.

421

Or "An apparent," but I think that word does not add anything here.

422
423
sys/kern/uipc_usrreq.c
1342

Fair enough, thank you.

markj accepted this revision as: markj.Jun 9 2022, 6:54 PM
This revision is now accepted and ready to land.Jun 9 2022, 6:54 PM
glebius updated this revision to Diff 106799.Jun 9 2022, 7:59 PM
  • More manual page text.
  • Small bugfix.
This revision now requires review to proceed.Jun 9 2022, 7:59 PM
Harbormaster completed remote builds in B45921: Diff 106799.Jun 9 2022, 7:59 PM
pauamma_gundo.com requested changes to this revision.Jun 9 2022, 11:06 PM
pauamma_gundo.com added a subscriber: pauamma_gundo.com.
pauamma_gundo.com added inline comments.
share/man/man4/unix.4
397
419
437

Do you mean "will" here? "Would", to me, has undertones of "if something else didn't prevent that".

446

"apparent"? Did you mean "possible"? (See also markj's comment above.)

This revision now requires changes to proceed.Jun 9 2022, 11:06 PM
glebius marked 10 inline comments as done.Jun 10 2022, 5:23 AM
glebius updated this revision to Diff 106808.Jun 10 2022, 5:24 AM

Accept all manual page suggections. Thanks!

Harbormaster completed remote builds in B45926: Diff 106808.Jun 10 2022, 5:24 AM
glebius updated this revision to Diff 106818.Jun 10 2022, 5:34 PM
  • Remove more legacy from uipc_dgram_sbspace() making it a true bool. Fixes edge case found by syzcaller.
Harbormaster completed remote builds in B45930: Diff 106818.Jun 10 2022, 5:34 PM
pauamma_gundo.com accepted this revision.Jun 14 2022, 1:08 AM

Manual page English LGTM. Can't say about code or consistency between them.

This revision is now accepted and ready to land.Jun 14 2022, 1:08 AM
Closed by commit rG458f475df8e5: unix/dgram: smart socket buffers for one-to-many sockets (authored by glebius). · Explain WhyJun 24 2022, 4:11 PM
This revision was automatically updated to reflect the committed changes.
glebius added a commit: rG458f475df8e5: unix/dgram: smart socket buffers for one-to-many sockets.

Revision Contents
Changeset List

PathSize
share/
man/
man4/
29 lines
sys/
kern/
174 lines
sys/
27 lines
tests/
sys/
kern/
85 lines

Diff 106706

View Options

share/man/man4/unix.4

Loading...
View Options

sys/kern/uipc_usrreq.c

Loading...
View Options

sys/sys/sockbuf.h

Loading...
View Options

tests/sys/kern/unix_dgram.c

Loading...