The problem with the Signal service implementation.

Norman Feske norman.feske at ...1...
Fri Feb 10 12:10:47 CET 2012 

Hi Ivan,

> We were investigating problem of sending big amount of data via network 
> in Genode on Fiasco.OC. And we have found out some significant bug of 
> the Genode Signal service implementation and we also could provide the 
> simple stable solution. As know Packet_stream_rx and Packet_stream_tx 

thank you for investigating this issue. This is indeed a problem on all
kernels that use kernel-protected capabilities. (i.e., Fiasco.OC and
NOVA) Actually, there exists an issue-tracker entry for it:

  https://github.com/genodelabs/genode/issues/32

Admittedly, I had not realized the significance of this issue for the
packet-steam interface.

> context is redundant. Signal_session_component::submit uses 
> Siganl_context_capability only for searching it in the context 
> entrypoint (base/src/core/signal_session_component.cc). But the same 
> effect could be achieved by searching signal context by a 
> badge(local_name()) and then there would not be necessity of capability 
> unmarshalling. The decision is quote simple to change the 
> Signal_context_capability typedef from Capability<Signal_context> to 
> simple int or long type (base/include/signla_session/signal_session.h) 
> and then to fix all errors generated by compiler. So we think that this 
> problem of Signal service is significant and has to be fixed as quick as 
> possible. But of course we'll glad to hear any your remarks about the 
> decision to use the capability is a sense of Signal_context.

Unfortunately, a real solution for the problem is not as simple as that.
You are right that the badge is used as a key for looking up the
signal-context within core. But by passing the badge as plain data
instead of a capability, the referred signal context could be forged by
the client. This way, a malicious client would be able to submit signals
to all signal receivers in the system. The use of capabilities prevents
that.

That said, I think that your fix is better as interim solution than the
current leak of capability selectors.

Thanks a lot for bringing up the issue and for the proposal for a fix.
Your work is much appreciated!

Norman

-- 
Dr.-Ing. Norman Feske
Genode Labs

http://www.genode-labs.com · http://genode.org

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth

More information about the users mailing list