Re: file offset corruption on 32-bit machines?
From: Jan Kara
Date: Thu Apr 10 2008 - 11:20:00 EST
> On Thu, 10 Apr 2008, Jan Kara wrote:
>
> > > The f_pos races are in fact exploitable, we've already been there. See
> > > for example http://www.isec.pl/vulnerabilities/isec-0016-procleaks.txt
> > Well, this race is more subtle - the window is just one instruction
> > wide (stores to f_pos from CPU2 must come between the store of lower and
> > upper 32-bits of f_pos on CPU1). And the only result is that f_pos has
> > 32-bits from one file pointer and 32-bits from the other one. So I can
> > hardly imagine this would be exploitable...
>
> Supposing you are not holding any spinlock and are running with
> preemptible kernel (pretty common scenario nowadays), there is nothing
> that would prevent kernel from rescheduling between the two instructions,
> enlarging the race window to be more comfortable for attacker, right?
Yes, this is theoretically possible.
> I think this is worth fixing.
Hmm, maybe it is, although I still don't see how to exploit it :).
Honza
--
Jan Kara <jack@xxxxxxx>
SuSE CR Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/