Re: user pointers and race conditions

From: Al Viro
Date: Thu May 17 2007 - 01:04:47 EST

Next message: David Miller: "Re: user pointers and race conditions"
Previous message: Neil Brown: "RE: Software raid0 will crash the file-system, when each disk is5TB"
In reply to: sk b: "user pointers and race conditions"
Next in thread: David Miller: "Re: user pointers and race conditions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 16, 2007 at 10:56:22PM -0600, sk b wrote:
>
> Hello,
>
> I'm wondering whether there is an exploitable TOCTTOU race condition in the way user pointers are handled in the kernel. Consider the following code:
>
> 1: struct st { int *u; };
> 2: void syscall(struct st * stp) {
> 3: if (!access_ok(VERIFY_READ,stp,sizeof(struct st)))
> 4: return;
> 5: if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))

... and there's your bug - direct access to userland data. The normal
variant is to use accessors (get_user() or copy_from_user()) to fetch
the value of stp->u. At which point races of the kind you mentioned
take an obviously dumb code (explicitly copying the same struct from
userland _twice_).

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Miller: "Re: user pointers and race conditions"
Previous message: Neil Brown: "RE: Software raid0 will crash the file-system, when each disk is5TB"
In reply to: sk b: "user pointers and race conditions"
Next in thread: David Miller: "Re: user pointers and race conditions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]