From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Mateusz Guzik <mguzik@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Alexey Dobriyan <adobriyan@gmail.com>,
Jarod Wilson <jarod@redhat.com>,
Jan Stancek <jstancek@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 0/2] fix up {arg,env}_{start,end} vs prctl
Date: Thu, 7 Jan 2016 12:52:56 +0300 [thread overview]
Message-ID: <20160107095256.GA4306@uranus> (raw)
In-Reply-To: <1452056549-10048-1-git-send-email-mguzik@redhat.com>
On Wed, Jan 06, 2016 at 06:02:27AM +0100, Mateusz Guzik wrote:
> An unprivileged user can trigger an oops on a kernel with
> CONFIG_CHECKPOINT_RESTORE.
>
> proc_pid_cmdline_read takes mmap_sem for reading and obtains args + env
> start/end values. These get sanity checked as follows:
> BUG_ON(arg_start > arg_end);
> BUG_ON(env_start > env_end);
>
> These can be changed by prctl_set_mm. Turns out also takes the semaphore for
> reading, effectively rendering it useless. This results in:
Thanks a lot for catching it! You know I tried to escape taking sem
for writing as long as I could so another option might be simply
zap these BUG_ON and rather exit with -EINVAL. On the other hands
modification under read-lock of course is not correct in terms
of "general approach" but these members are special so I took
a risk. Anyway,
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Thanks again.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Mateusz Guzik <mguzik@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Alexey Dobriyan <adobriyan@gmail.com>,
Jarod Wilson <jarod@redhat.com>,
Jan Stancek <jstancek@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 0/2] fix up {arg,env}_{start,end} vs prctl
Date: Thu, 7 Jan 2016 12:52:56 +0300 [thread overview]
Message-ID: <20160107095256.GA4306@uranus> (raw)
In-Reply-To: <1452056549-10048-1-git-send-email-mguzik@redhat.com>
On Wed, Jan 06, 2016 at 06:02:27AM +0100, Mateusz Guzik wrote:
> An unprivileged user can trigger an oops on a kernel with
> CONFIG_CHECKPOINT_RESTORE.
>
> proc_pid_cmdline_read takes mmap_sem for reading and obtains args + env
> start/end values. These get sanity checked as follows:
> BUG_ON(arg_start > arg_end);
> BUG_ON(env_start > env_end);
>
> These can be changed by prctl_set_mm. Turns out also takes the semaphore for
> reading, effectively rendering it useless. This results in:
Thanks a lot for catching it! You know I tried to escape taking sem
for writing as long as I could so another option might be simply
zap these BUG_ON and rather exit with -EINVAL. On the other hands
modification under read-lock of course is not correct in terms
of "general approach" but these members are special so I took
a risk. Anyway,
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Thanks again.
next prev parent reply other threads:[~2016-01-07 9:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 5:02 [PATCH 0/2] fix up {arg,env}_{start,end} vs prctl Mateusz Guzik
2016-01-06 5:02 ` Mateusz Guzik
2016-01-06 5:02 ` [PATCH 1/2] prctl: take mmap sem for writing to protect against others Mateusz Guzik
2016-01-06 5:02 ` Mateusz Guzik
2016-01-06 9:17 ` Anshuman Khandual
2016-01-06 9:35 ` Anshuman Khandual
2016-01-06 9:35 ` Anshuman Khandual
2016-01-06 10:02 ` Mateusz Guzik
2016-01-06 10:02 ` Mateusz Guzik
2016-01-06 5:02 ` [PATCH 2/2] proc read mm's {arg,env}_{start,end} with mmap semaphore taken Mateusz Guzik
2016-01-06 5:02 ` Mateusz Guzik
2016-01-06 9:44 ` Anshuman Khandual
2016-01-06 9:44 ` Anshuman Khandual
2016-01-06 19:43 ` Mateusz Guzik
2016-01-06 19:43 ` Mateusz Guzik
2016-01-07 9:52 ` Cyrill Gorcunov [this message]
2016-01-07 9:52 ` [PATCH 0/2] fix up {arg,env}_{start,end} vs prctl Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160107095256.GA4306@uranus \
--to=gorcunov@gmail.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=jarod@redhat.com \
--cc=jstancek@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mguzik@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.