On Fri, 13 Oct 2000, Dr. Werner Fink wrote:
>
> Hi,
>
> hopefully this mail isn't lost because of a nervous `d' finger ;^)
> Last week I've finished the work on the system call revoke for 2.4 and
> done some changes on it suggested by the vendors security list.
>
> Due to the security issue of the syscall revoke, it would nice to see
> this patch going in 2.4. This would help to close some open security
> issues (e.g. user usage of vcs/vcsa and other devices).
>
> This implementation of sys_revoke not only removes all references
> of a block or character special file but also all mmap vma's.
It's racey.
1) one process does read() on device, another does revoke()
followed by rmmod. Oops - nothing holds module in memory, the first
process is executing code from that module (->read(), that is) and
we unmap that code.
2) every access to ->f_op suddenly becomes unsafe. Basically the
same scenario, but here we have the window between fetching ->f_op and
calling ->f_op->foo. You have no exclusion here, and even if you had, you
still got #1 to deal with.
IOW, it's broken by design - you can't just drop ->f_op and call it
quits. You certainly can't leave any process in the middle of code that
becomes unprotected. And it's not an SMP-only problem - since ->read() may
sleep you have #1 on UP too.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Oct 15 2000 - 21:00:25 EST