Re: inotify cookie regression/info leak in latest mainline

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vegard Nossum <vegard.nossum@oracle.com>
To: Jan Kara <jack@suse.cz>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: Re: inotify cookie regression/info leak in latest mainline
Date: Mon, 17 Feb 2014 22:10:45 +0100	[thread overview]
Message-ID: <53027AD5.7060808@oracle.com> (raw)
In-Reply-To: <20140217125954.GD3686@quack.suse.cz>

On 02/17/2014 01:59 PM, Jan Kara wrote:
>    Hello,
>
> On Sat 15-02-14 22:39:38, Vegard Nossum wrote:
>> It would seem that
>>
>> commit 7053aee26a3548ebaba046ae2e52396ccf56ac6c
>> Author: Jan Kara <jack@suse.cz>
>> Date:   Tue Jan 21 15:48:14 2014 -0800
>>
>>      fsnotify: do not share events between notification groups
>>
>> introduced a bug where the cookie field of struct inotify_event
>> never gets initialised. In particular, it used to be initialised
>> when send_to_group() called fsnotify_create_event(), but that no
>> longer happens, and the 'cookie' parameter of send_to_group() never
>> gets used.
>>
>> The problem manifests itself in copy_event_to_user() where the
>> cookie field is copied to userspace without being initialised.
>>
>> I tested this with a simple userspace program, I seem to get mostly
>> 0xffff8800 in the cookie field for non-move events (which should
>> always have 0 here).
>    That's a really embarassing bug. I've extented LTP inotify tests to
> verify the cookie value is sane (so far the tests completely ignored the
> value which is why I didn't notice the breakage).
>
> Attached patch fixes the problem for me. I'll send it to Linus tomorrow.
> Thanks for spotting the problem!

That seems to fix it for me too, thanks for the quick fix!


Vegard

     prev parent reply	other threads:[~2014-02-17 21:10 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-15 21:39 inotify cookie regression/info leak in latest mainline Vegard Nossum
2014-02-17 12:59 ` Jan Kara
2014-02-17 21:10   ` Vegard Nossum [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53027AD5.7060808@oracle.com \
    --to=vegard.nossum@oracle.com \
    --cc=jack@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.