From: Jan Kara <jack@suse.cz>
To: Michal Hocko <mhocko@suse.cz>
Cc: Jiri Kosina <jkosina@suse.cz>, Meelis Roos <mroos@linux.ee>,
Linux Kernel list <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: file offset corruption on 32-bit machines?
Date: Thu, 10 Apr 2008 17:56:53 +0200 [thread overview]
Message-ID: <20080410155653.GF20656@duck.suse.cz> (raw)
In-Reply-To: <200804101737.16825.mhocko@suse.cz>
On Thu 10-04-08 17:37:16, Michal Hocko wrote:
> On Thursday 10 April 2008 05:19:45 pm Jan Kara wrote:
> > > On Thu, 10 Apr 2008, Jan Kara wrote:
> > > > > The f_pos races are in fact exploitable, we've already been there.
> > > > > See for example
> > > > > http://www.isec.pl/vulnerabilities/isec-0016-procleaks.txt
> > > >
> > > > Well, this race is more subtle - the window is just one instruction
> > > > wide (stores to f_pos from CPU2 must come between the store of lower
> > > > and upper 32-bits of f_pos on CPU1). And the only result is that f_pos
> > > > has 32-bits from one file pointer and 32-bits from the other one. So I
> > > > can hardly imagine this would be exploitable...
> > >
> > > Supposing you are not holding any spinlock and are running with
> > > preemptible kernel (pretty common scenario nowadays), there is nothing
> > > that would prevent kernel from rescheduling between the two instructions,
> > > enlarging the race window to be more comfortable for attacker, right?
> >
> > Yes, this is theoretically possible.
> >
> > > I think this is worth fixing.
> >
> > Hmm, maybe it is, although I still don't see how to exploit it :).
>
> Maybe (just guess) some high priority malicious process could try to preempt
> reading thread to always in the bad moment (when the half of the f_pos is
> written) and thus forcing it to read bad data (you usually don't check that
> file position is growing after each read and you wait only for end of the
> file).
> But do agree, I still don't see something with really security implications
> (privileged processes usually don't work with such a big files).
Well, but for this to work the process you try to attack must access the
file from several threads in parallel without any locking... And I'm not
aware of anybody really doing this.
Really the only attack vector I could imagine is that you create several
malitious processes which will try to corrupt f_pos and then use it (like
if you could make it negative, I could imagine this could trigger some bug
somewhere). But since possible corruptions are quite limited, I don't see
how to corrupt f_pos to something at least remotely "useful".
Honza
--
Jan Kara <jack@suse.cz>
SUSE Labs, CR
next prev parent reply other threads:[~2008-04-10 15:57 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-08 8:05 file offset corruption on 32-bit machines? Meelis Roos
2008-04-10 13:55 ` Michal Hocko
2008-04-10 14:01 ` Jiri Kosina
2008-04-10 14:27 ` Jan Kara
2008-04-10 14:31 ` Jiri Kosina
2008-04-10 14:48 ` Matthew Wilcox
2008-04-10 15:22 ` Jan Kara
2008-04-10 15:30 ` Matthew Wilcox
2008-04-10 15:19 ` Jan Kara
2008-04-10 15:37 ` Michal Hocko
2008-04-10 15:56 ` Jan Kara [this message]
2008-04-10 16:03 ` Diego Calleja
2008-04-10 16:03 ` Diego Calleja
2008-04-10 16:15 ` Jan Kara
2008-04-11 19:26 ` Pavel Machek
2008-04-14 16:25 ` Jan Kara
2008-04-10 14:31 ` Michal Hocko
2008-04-10 14:35 ` Jiri Kosina
2008-04-10 14:11 ` Martin Mares
2008-04-10 15:12 ` Jan Kara
2008-04-10 15:14 ` Jamie Lokier
2008-04-10 15:21 ` Matthew Wilcox
2008-04-10 15:28 ` Jan Kara
2008-04-10 15:33 ` Andi Kleen
[not found] <agh4d-6yc-35@gated-at.bofh.it>
[not found] ` <ah5tY-3lR-7@gated-at.bofh.it>
[not found] ` <ah5DA-3X9-9@gated-at.bofh.it>
[not found] ` <ah5X5-4tl-13@gated-at.bofh.it>
[not found] ` <ah66A-4Nk-7@gated-at.bofh.it>
[not found] ` <ah7vN-7Wz-9@gated-at.bofh.it>
2008-04-11 12:24 ` Bodo Eggert
2008-04-11 12:24 ` Bodo Eggert
2008-04-11 13:55 ` Lennart Sorensen
2008-04-11 16:59 ` Bryan Henderson
2008-04-11 17:15 ` Lennart Sorensen
2008-04-11 21:29 ` Bryan Henderson
2008-04-12 8:48 ` Pavel Machek
2008-04-14 16:20 ` Jan Kara
2008-04-14 16:22 ` Lennart Sorensen
2008-04-14 16:53 ` Jan Kara
2008-04-14 16:54 ` Alan Cox
2008-04-14 18:34 ` Alexey Dobriyan
2008-04-14 17:06 ` Lennart Sorensen
2008-04-14 19:03 ` Jan Kara
2008-04-14 19:29 ` Lennart Sorensen
2008-04-14 19:42 ` Jan Kara
2008-04-14 19:45 ` Lennart Sorensen
2008-04-15 8:57 ` Pavel Machek
2008-04-15 15:32 ` Lennart Sorensen
2008-04-15 17:34 ` Pavel Machek
2008-04-15 18:24 ` Lennart Sorensen
2008-04-15 19:12 ` Pavel Machek
2008-04-15 19:49 ` Lennart Sorensen
2008-04-15 20:06 ` Pavel Machek
2008-04-15 20:28 ` Peter Zijlstra
2008-04-16 8:15 ` Pavel Machek
2008-04-16 8:20 ` Peter Zijlstra
2008-04-16 10:54 ` Alan Cox
2008-04-16 13:57 ` Lennart Sorensen
2008-04-15 20:29 ` Lennart Sorensen
2008-04-15 22:11 ` Bryan Henderson
2008-04-16 9:40 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080410155653.GF20656@duck.suse.cz \
--to=jack@suse.cz \
--cc=jkosina@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.cz \
--cc=mroos@linux.ee \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.