Re: 2.6.22-rc6(mm1) Unable to handle kernel NULL pointer dereference - git-bisect result

From: Al Viro
Date: Sun Jul 08 2007 - 14:20:16 EST


On Sun, Jul 08, 2007 at 10:41:46AM -0700, Ulrich Drepper wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Al Viro wrote:
> > Like hell. At the very least you want it to be opened for write.
> > And even that is dubious, since "process has write access to file"
> > is not quite the same thing as "somebody had given the process a
> > descriptor opened for write".
>
> But the real permissions tests are performed in notify_change. I think
> all this is consistent with how, for instance, fchmod works. The
> additional tests in fchmod which aren't here (IS_RDONLY and IS_APPEND)
> would also apply to the case where a file name is given. So, either the
> code was inconsistent already are these tests are really not needed.

Yes, it's either that, or you haven't bothered to read what it really
does. ATTR_UID et.al. are checked in inode_change_ok(). So is
ATTR_MTIME_SET (only owner can explicitly set timestamps). ATTR_MTIME
is not and *should* *not* be checked there. Exactly because it's
done as a side effect of many operations with access control of their
own and nothing that could be pushed down into notify_change() path.
Think of e.g. write(2) - by the time you get to notify_change(), you
don't even have a file descriptor. Just the dentry and process writing
to file doesn't have to have *any* permissions on it.

Hell, _try_ it. Build the kernel with your patch and without it.
Call utimes() with NULL second argument on a file you have no write
access to. See if the timestamps change.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/