kern/59147: sysctl: bounded-memory lookups by name

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/59147: sysctl: bounded-memory lookups by name
From: campbell+netbsd%mumble.net@localhost
Date: Thu, 6 Mar 2025 14:25:00 +0000 (UTC)

>Number:         59147
>Category:       kern
>Synopsis:       sysctl: bounded-memory lookups by name
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 06 14:25:00 +0000 2025
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
The NetBSysctlD __attribute__((constructor))
>Environment:
>Description:
Userland sysctl name lookups for nodes like "kern.entropy.epoch", given a prefix of known MIB numbers like CTL_KERN for "kern", work as follows:

1. Query sysctl {CTL_KERN, CTL_QUERY} for the length of a list of all sysctl nodes kern.*, with a null buffer.
2. Allocate a buffer to hold them.
3. Query sysctl {CTL_KERN, CTL_QUERY} for the list of all sysctl nodes kern.*.
4. Search through those sysctl nodes for the next matching component name "entropy".
5. Repeat until all the component names have been matched, "kern.entropy.epoch".

In principle this requires unbounded memory allocation, which makes it troublesome to use in difficult contexts like ELF constructors or signal handlers.  For certain special cases, we can estimate the maximum size of the buffer based on what we know about the kernel and allocate a stack buffer of that size, as we did for PR lib/59107: libc constructors on arm use malloc <https://gnats.NetBSD.org/59107>, but this is fragile.

Certain information should perhaps be transmitted to userland another way -- e.g., on aarch64, the kernel could emulate  MRS xN, ID_*_EL1  instructions on trap from EL0 so userland can execute them without a sysctl; the entropy epoch could be put in a shared page with vDSO -- and of course we can statically allocate sysctl numbers with #defines in sys/*.h, but we should nevertheless really be able to get at arbitrary sysctl nodes with small bounded memory allocation.
>How-To-Repeat:
try to query sysctls in troublesome contexts like ELF constructors, ifunc selectors, or signal handlers
>Fix:
This probably requires writing a new kernel interface, say CTL_QUERYBYNAME that takes a string on input and returns a MIB number on output.

Prev by Date: lib/59146: POSIX.1-2024: async-signal-safety audit
Next by Date: lib/59148: arc4random calls malloc so it can't be used in an ELF constructor
Previous by Thread: lib/59146: POSIX.1-2024: async-signal-safety audit
Next by Thread: Re: kern/59147: sysctl: bounded-memory lookups by name
Indexes:

Home | Main Index | Thread Index | Old Index