In a message dated 8/29/02 11:48:19 PM, [EMAIL PROTECTED] writes:
> Date:� � Thu, 29 Aug 2002 15:46:57 +0100 > From:� � Harry Moreau <[EMAIL PROTECTED]> > Subject: How to crash AOLserver 3.4 in one line of tcl... > > The line is > > ns_rwlock destroy rid0x83daf50 > > providing that rid0x83daf50 does *not* point to a valid rwlock, or a second > example using three lines... > > set lock [ns_rwlock create] > ns_rwlock destroy $lock > ns_rwlock destroy $lock > > Attempting to destroy the lock (intentionally or otherwise) twice > will crash the server. > > This happens because... > > There are two functions in nsd/tclthread.c to manage rwlocks, mutexes etc. > > GetObj() and SetObj() > > The first three bytes of the name of a rwlock/mutex/semaphore/condvar etc > are interpreted as the type identifier, the rest of the rid0x83daf50 string > above is assumed to be the actual address of the thing!� No further > checking > is performed by GetObj() to ensure that the provided address is actually > correct, so you can make up any address you like and pass it to ns_rwlock > or > ns_mutex or whatever with the destroy sub-command and have the memory so > pointed to over-written! > > I looked at the 4.0 beta code, this hasn't changed.� I'm going to fix it > for > my sites - haven't decided how yet - I'll be quite happy to pass on the > code > to someone for review and possible inclusion in the code base. > > Hi, Old versions of AOLserver (prior to 2.3?) would maintain thread object ids in a hash table protected by a mutex. We moved to direct address id's as part of an overall effort to remove as many locks as possible - those old versions were subject to a lot of lock contention. I recall describing this technique to Ousterhout a few years back - he thought is was a dumb idea. Oh well. Anyway, for 4.0 you could create some Tcl_Obj types which could lookup the addresses in a protected table and then store the result in the Tcl_Obj private data, avoiding the locks going forward. Send to me or upload to Sourceforge any patches you'd like to get integrated into the core. Thanks, -Jim
