Re: [PATCH] Security fix for 2.1.111, 2.0.x forwardport

Linus Torvalds (
30 Jul 1998 06:46:41 GMT

In article <>,
Chris Wedgwood <> wrote:
>On Sun, Jul 26, 1998 at 10:23:14PM +0100, Alan Cox wrote:
>> The only other one I can find off hand is the /proc stuff - sitting with
>> /proc/somepid/file open when the PID is reused.
>I've been trying to think of a good way to avoid this - and can't
>really think of anything terribly useful.
>One (ugly hack) that does come to mind though, is, if it is possible
>to find all files open referencing and inode between (X & Y), then
>when pid n exits, close any open descriptors associated with
>inode (n<<16 & 0xFFFF0000).

One fairly good way (and that may make sense in other cases like this
too, not just the /proc filesystem) is to add a "version" to the file
descriptor that the low-level filesystem is free to use however it

In the case of the /proc filesystem, it would for example be very easy
for the procfs code to initialize the "version" at open-time to be the
start date of the process whose fd we opened. That's when we check the
permissions, so we essentially save away this "cookie" about the process
(the fact that it's the start time is not important - it should just be
"unique enough" that if the pids wrap around you won't have the same

Then read() and write() etc things would just have something like

.. look up tsk according to the pid information ..

if (filp->f_version != tsk->start_time)
return -EIO;

.. do the actual operation ..

(and if somebody wanted to, it could also compain a few times about an
attempted crack..)

Alan fixed it in 2.0.x by adding the full security test into the
read()/write() functions, and I suggested he do something like that
because it's the "obvious" way to handle the problem. The advantage of
the above approach is that it gets the case right when you pass the file
descriptor to another process (or you lower your privileges) then the
user is still able to use it even if he woudln't be able to open the
file himself - which is the real UNIX semantics..

Alan, what do you think?


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
Please read the FAQ at