From: Shi Weihua <shiwh@cn.fujitsu.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
morgan@kernel.org, linux-security-module@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
jmorris@namei.org
Subject: Re: [PATCH] capabilities: fix sys_prctl() returned uninitialized value
Date: Thu, 22 May 2008 08:58:53 +0800 [thread overview]
Message-ID: <4834C54D.90800@cn.fujitsu.com> (raw)
In-Reply-To: <20080521123802.GB7715@sergelap.austin.ibm.com>
Serge E. Hallyn wrote:
> Quoting Shi Weihua (shiwh@cn.fujitsu.com):
>> When we test kernel by the latest LTP(20080430) on ia64,
>> the following failure occured:
>> -------------------------------------
>> prctl01 1 PASS : Test Passed
>> prctl01 0 WARN : prctl() returned 2048 errno = 0 : Success
>> prctl01 1 PASS : Test Passed
>> prctl01 2 FAIL : Test Failed
>> -------------------------------------
>>
>> We found commit 3898b1b4ebff8dcfbcf1807e0661585e06c9a91c
>> causes this failure by git-bisect.
>> And, we found *rc_p has not been initialized if switch-default
>> of the function cap_task_prctl()(security/commoncap.c). When *rc_p
>> uninitialized, sys_prctl() will return a wrong value.
>>
>> Signed-off-by: Shi Weihua <shiwh@cn.fujitsu.com>
>> ---
>> diff --git a/security/commoncap.c b/security/commoncap.c
>> index 5edabc7..a4b28c8 100644
>> --- a/security/commoncap.c
>> +++ b/security/commoncap.c
>> @@ -649,6 +649,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
>>
>> default:
>> /* No functionality available - continue with default */
>> + *rc_p = 0;
>> return 0;
>> }
>
> No, this case here means that the capability module is not taking
> responsibility for this call. So it should not be setting rc_p.
Ok, we noticed the comment as following in include/linux/security.h.
+ * @rc_p contains a pointer to communicate back the forced return code
+ * Return 0 if permission is granted, and non-zero if the security module
+ * has taken responsibility (setting *rc_p) for the prctl call.
>
> So you'll want to find another path in kernel/sys.c:sys_prctl()
> where error doesn't get set. Do you know what 'i' was in prctl01
> at the time of failure?
'i' was 1 (PR_SET_PDEATHSIG).
I will create a new patch ASAP.
Thanks.
>
> For instance, I notice that PR_SET_DUMPABLE doesn't set the value
> of error if arg2 is valid. Also PR_SET_NAME and PR_GET_NAME
> don't set error.
>
> -serge
>
>
>
prev parent reply other threads:[~2008-05-22 1:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-21 9:37 [PATCH] capabilities: fix sys_prctl() returned uninitialized value Shi Weihua
2008-05-21 12:38 ` Serge E. Hallyn
2008-05-22 0:58 ` Shi Weihua [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4834C54D.90800@cn.fujitsu.com \
--to=shiwh@cn.fujitsu.com \
--cc=akpm@linux-foundation.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.