inotify cookie regression/info leak in latest mainline

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vegard Nossum <vegard.nossum@oracle.com>
To: Jan Kara <jack@suse.cz>, LKML <linux-kernel@vger.kernel.org>
Subject: inotify cookie regression/info leak in latest mainline
Date: Sat, 15 Feb 2014 22:39:38 +0100	[thread overview]
Message-ID: <52FFDE9A.2030109@oracle.com> (raw)

Hi,

It would seem that

commit 7053aee26a3548ebaba046ae2e52396ccf56ac6c
Author: Jan Kara <jack@suse.cz>
Date:   Tue Jan 21 15:48:14 2014 -0800

     fsnotify: do not share events between notification groups

introduced a bug where the cookie field of struct inotify_event never 
gets initialised. In particular, it used to be initialised when 
send_to_group() called fsnotify_create_event(), but that no longer 
happens, and the 'cookie' parameter of send_to_group() never gets used.

The problem manifests itself in copy_event_to_user() where the cookie 
field is copied to userspace without being initialised.

I tested this with a simple userspace program, I seem to get mostly 
0xffff8800 in the cookie field for non-move events (which should always 
have 0 here).

Vegard

next             reply	other threads:[~2014-02-15 21:39 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-15 21:39 Vegard Nossum [this message]
2014-02-17 12:59 ` inotify cookie regression/info leak in latest mainline Jan Kara
2014-02-17 21:10   ` Vegard Nossum

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52FFDE9A.2030109@oracle.com \
    --to=vegard.nossum@oracle.com \
    --cc=jack@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.