Absolutely fantastic work. Also, I really like all the information the author shared during this journey.
It’s also nice to see this great property: “A nice aspect of this race condition is that if you only hit the difficult race (close() the FD and run unix_gc() while dup() is preempted between FD table lookup and refcount increment), no memory corruption happens yet, but you can observe that the GC has incorrectly removed a socket buffer (SKB) from the victim socket. Even better, if the race fails, you can also see in which direction it failed, as long as no FDs below the victim FD are unused:”
This kind of “side-channel” is beautiful in my opinion. I like it how in many cases we can get information regarding what happened via return values.
Absolutely fantastic work. Also, I really like all the information the author shared during this journey.
It’s also nice to see this great property: “A nice aspect of this race condition is that if you only hit the difficult race (close() the FD and run unix_gc() while dup() is preempted between FD table lookup and refcount increment), no memory corruption happens yet, but you can observe that the GC has incorrectly removed a socket buffer (SKB) from the victim socket. Even better, if the race fails, you can also see in which direction it failed, as long as no FDs below the victim FD are unused:”
This kind of “side-channel” is beautiful in my opinion. I like it how in many cases we can get information regarding what happened via return values.