From: Cyrill Gorcunov <gorcunov@openvz.org>
To: linux-kernel@vger.kernel.org
Cc: akpm@linux-foundation.org, keescook@chromium.org,
oleg@redhat.com, tj@kernel.org, avagin@openvz.org,
ebiederm@xmission.com, hpa@zytor.com, serge.hallyn@canonical.com,
xemul@parallels.com, segoon@openwall.com,
kamezawa.hiroyu@jp.fujitsu.com, mtk.manpages@gmail.com,
jln@google.com, Cyrill Gorcunov <gorcunov@openvz.org>
Subject: [patch 1/2 -mm] prctl: PR_SET_MM_MAP -- Copy @auxv from userspace early
Date: Sat, 23 Aug 2014 12:46:12 +0400 [thread overview]
Message-ID: <20140823085007.310194940@openvz.org> (raw)
In-Reply-To: 20140823084611.939722362@openvz.org
[-- Attachment #1: prctl-rework-new-mm-map-auxv --]
[-- Type: text/plain, Size: 2169 bytes --]
Oleg noticed that I'm doing a strange games with mm::mmap_sem
member -- I take it and keep busy whie validating data which
comes from user space but then I release it and copy auxv
data itself.
This means we've a small window where previously found VMAs might
be no longer valid thus move @auxv validation and copying at the
beginning of prctl_set_mm_map before we take the lock.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
CC: Oleg Nesterov <oleg@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrew Vagin <avagin@openvz.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Cc: Vasiliy Kulikov <segoon@openwall.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Julien Tinnes <jln@google.com>
---
kernel/sys.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
Index: linux-2.6.git/kernel/sys.c
===================================================================
--- linux-2.6.git.orig/kernel/sys.c
+++ linux-2.6.git/kernel/sys.c
@@ -1838,22 +1838,28 @@ static int prctl_set_mm_map(int opt, con
if (copy_from_user(&prctl_map, addr, sizeof(prctl_map)))
return -EFAULT;
- down_read(&mm->mmap_sem);
-
- if (validate_prctl_map_locked(&prctl_map))
- goto out;
-
+ /*
+ * Validate and copy auxv early to be able to keep
+ * @mmap_sem taken until this function ends.
+ */
if (prctl_map.auxv_size) {
- up_read(&mm->mmap_sem);
+ if (!prctl_map.auxv ||
+ prctl_map.auxv_size > sizeof(mm->saved_auxv))
+ return -EINVAL;
+
memset(user_auxv, 0, sizeof(user_auxv));
error = copy_from_user(user_auxv,
(const void __user *)prctl_map.auxv,
prctl_map.auxv_size);
- down_read(&mm->mmap_sem);
if (error)
goto out;
}
+ down_read(&mm->mmap_sem);
+
+ if (validate_prctl_map_locked(&prctl_map))
+ goto out;
+
if (prctl_map.exe_fd != (u32)-1) {
error = prctl_set_mm_exe_file_locked(mm, prctl_map.exe_fd);
if (error)
next prev parent reply other threads:[~2014-08-23 8:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-23 8:46 [patch 0/2 -mm] prctl: PR_SET_MM_MAP -- Drop race window and simplify validate_prctl_map_locked Cyrill Gorcunov
2014-08-23 8:46 ` Cyrill Gorcunov [this message]
2014-08-23 8:46 ` [patch 2/2 -mm] prctl: PR_SET_MM_MAP -- Rework validate_prctl_map_locked to use offsets Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140823085007.310194940@openvz.org \
--to=gorcunov@openvz.org \
--cc=akpm@linux-foundation.org \
--cc=avagin@openvz.org \
--cc=ebiederm@xmission.com \
--cc=hpa@zytor.com \
--cc=jln@google.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.