Re: [PATCH 0/2] fix up {arg,env}_{start,end} vs prctl

From: Cyrill Gorcunov
Date: Thu Jan 07 2016 - 04:53:12 EST

Next message: Michal Hocko: "Re: [PATCH v3 05/14] mm, printk: introduce new format string for flags"
Previous message: Hayes Wang: "[PATCH net-next 2/2] r8152: adjust ALDPS function"
In reply to: Mateusz Guzik: "Re: [PATCH 2/2] proc read mm's {arg,env}_{start,end} with mmap semaphore taken."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 06, 2016 at 06:02:27AM +0100, Mateusz Guzik wrote:
> An unprivileged user can trigger an oops on a kernel with
> CONFIG_CHECKPOINT_RESTORE.
>
> proc_pid_cmdline_read takes mmap_sem for reading and obtains args + env
> start/end values. These get sanity checked as follows:
> BUG_ON(arg_start > arg_end);
> BUG_ON(env_start > env_end);
>
> These can be changed by prctl_set_mm. Turns out also takes the semaphore for
> reading, effectively rendering it useless. This results in:

Thanks a lot for catching it! You know I tried to escape taking sem
for writing as long as I could so another option might be simply
zap these BUG_ON and rather exit with -EINVAL. On the other hands
modification under read-lock of course is not correct in terms
of "general approach" but these members are special so I took
a risk. Anyway,

Acked-by: Cyrill Gorcunov <gorcunov@xxxxxxxxxx>

Thanks again.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michal Hocko: "Re: [PATCH v3 05/14] mm, printk: introduce new format string for flags"
Previous message: Hayes Wang: "[PATCH net-next 2/2] r8152: adjust ALDPS function"
In reply to: Mateusz Guzik: "Re: [PATCH 2/2] proc read mm's {arg,env}_{start,end} with mmap semaphore taken."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]