Re: inotify cookie regression/info leak in latest mainline
From: Vegard Nossum
Date: Mon Feb 17 2014 - 16:11:01 EST
On 02/17/2014 01:59 PM, Jan Kara wrote:
Hello,
On Sat 15-02-14 22:39:38, Vegard Nossum wrote:
It would seem that
commit 7053aee26a3548ebaba046ae2e52396ccf56ac6c
Author: Jan Kara <jack@xxxxxxx>
Date: Tue Jan 21 15:48:14 2014 -0800
fsnotify: do not share events between notification groups
introduced a bug where the cookie field of struct inotify_event
never gets initialised. In particular, it used to be initialised
when send_to_group() called fsnotify_create_event(), but that no
longer happens, and the 'cookie' parameter of send_to_group() never
gets used.
The problem manifests itself in copy_event_to_user() where the
cookie field is copied to userspace without being initialised.
I tested this with a simple userspace program, I seem to get mostly
0xffff8800 in the cookie field for non-move events (which should
always have 0 here).
That's a really embarassing bug. I've extented LTP inotify tests to
verify the cookie value is sane (so far the tests completely ignored the
value which is why I didn't notice the breakage).
Attached patch fixes the problem for me. I'll send it to Linus tomorrow.
Thanks for spotting the problem!
That seems to fix it for me too, thanks for the quick fix!
Vegard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/