Re: New do_mremap vulnerabitily.

From: Andrea Arcangeli
Date: Wed Feb 18 2004 - 18:50:48 EST


On Wed, Feb 18, 2004 at 02:26:45PM -0800, Linus Torvalds wrote:
>
>
> On Wed, 18 Feb 2004, Chris Friesen wrote:
> >
> > There is still a call to do_munmap() that does not check the return
> > code, called from move_vma(), which in turn is called in do_mremap().
> >
> > Can that call ever fail and cause Bad Things to happen?
>
> Yes it can fail, and no, bad things can't happen. We could return the
> error code to user space, but on the other hand, by the time the munmap
> fails we would already have done 90% of the mremap(), so it doesn't much
> help user space to know that the old area still has a vma, but no pages
> associated with it.

which is a bug, mremap has to retire fully and it's not doing that
(obviously we don't want to write a retirement logic, we only want to
preallocate whatever needed so we don't need to retire), but it's not a
bad bug, since it only matters for real apps, an real apps will only
fall into this do_munamp due the oom condition, which isn't going to
trigger in do_munmap anyways, and even in the unlikely case that it does
it is extremly unlikely to generate an exploitable hole in the real (non
malicious) app.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/