From: Martin Schwidefsky <schwidefsky@de.ibm.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: oleg@redhat.com, linux-kernel@vger.kernel.org,
torvalds@linux-foundation.org, akpm@linux-foundation.org
Subject: Re: [PATCH] kernel/kmod: fix use-after-free of the sub_infostructure
Date: Fri, 17 Oct 2014 09:02:14 +0200 [thread overview]
Message-ID: <20141017090214.24eeef30@mschwide> (raw)
In-Reply-To: <201410170630.EBH48400.FSOHVQJOFMLtFO@I-love.SAKURA.ne.jp>
On Fri, 17 Oct 2014 06:30:29 +0900
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> Regarding UMH_NO_WAIT, the sub_info structure can be freed by
> __call_usermodehelper() before the worker thread returns from
> do_execve(), allowing memory corruption when do_execve() failed
> after exec_mmap() is called.
>
> Regarding UMH_WAIT_EXEC, the call to umh_complete() allows
> call_usermodehelper_exec() to continue which then frees sub_info.
>
> To fix this race, we need to make sure that the call to
> call_usermodehelper_freeinfo() in call_usermodehelper_exec() is
> always made after the last store to sub_info->retval.
I like this improved description for the UMH_NO_WAIT and UMH_WAIT_EXEC
cases. I mix it with parts of the original description.
--
blue skies,
Martin.
"Reality continues to ruin my life." - Calvin.
next prev parent reply other threads:[~2014-10-17 7:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-16 14:00 [PATCH] kernel/kmod: fix use-after-free of the sub_info structure Martin Schwidefsky
2014-10-16 16:57 ` Tetsuo Handa
2014-10-16 17:42 ` Oleg Nesterov
2014-10-16 21:30 ` [PATCH] kernel/kmod: fix use-after-free of the sub_infostructure Tetsuo Handa
2014-10-16 21:58 ` Oleg Nesterov
2014-10-17 7:04 ` Martin Schwidefsky
2014-10-17 7:36 ` Martin Schwidefsky
2014-10-17 12:55 ` [PATCH] kernel/kmod: fix use-after-free of the sub_info structure Tetsuo Handa
2014-10-17 15:21 ` [PATCH] kernel/kmod: fix use-after-free of the sub_infostructure Oleg Nesterov
2014-10-17 19:15 ` [PATCH 0/2] (Was: kernel/kmod: fix use-after-free of the sub_infostructure) Oleg Nesterov
2014-10-17 19:16 ` [PATCH 1/2] usermodehelper: don't use CLONE_VFORK for ____call_usermodehelper() Oleg Nesterov
2014-10-17 19:16 ` [PATCH 2/2] usermodehelper: kill the kmod_thread_locker logic Oleg Nesterov
2014-10-17 23:54 ` [PATCH 0/2] (Was: kernel/kmod: fix use-after-free of thesub_infostructure) Tetsuo Handa
2014-10-17 7:02 ` Martin Schwidefsky [this message]
2014-10-16 17:37 ` [PATCH] kernel/kmod: fix use-after-free of the sub_info structure Oleg Nesterov
2014-10-16 20:16 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141017090214.24eeef30@mschwide \
--to=schwidefsky@de.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.