From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jan Kara <jack@suse.cz>
Subject: Re: file offset corruption on 32-bit machines?
Date: Mon, 14 Apr 2008 21:03:09 +0200
Message-ID: <20080414190308.GJ15824@duck.suse.cz>
References: <ah5DA-3X9-9@gated-at.bofh.it> <ah5X5-4tl-13@gated-at.bofh.it> <ah66A-4Nk-7@gated-at.bofh.it> <ah7vN-7Wz-9@gated-at.bofh.it> <E1JkIJ0-0000tG-LV@be1.7eggert.dyndns.org> <20080411135544.GG2160@csclub.uwaterloo.ca> <20080414162031.GD15824@duck.suse.cz> <20080414162202.GB7387@csclub.uwaterloo.ca> <20080414165354.GF15824@duck.suse.cz> <20080414170613.GI7385@csclub.uwaterloo.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Bodo Eggert <7eggert@gmx.de>, Diego Calleja <diegocg@gmail.com>,
	Jiri Kosina <jkosina@suse.cz>, Michal Hocko <mhocko@suse.cz>,
	Meelis Roos <mroos@linux.ee>,
	Linux Kernel list <linux-kernel@vger.kernel.org>,
	linux-fsdevel@vger.kernel.org
To: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from styx.suse.cz ([82.119.242.94]:37985 "EHLO mail.suse.cz"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1753464AbYDNTDK (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Mon, 14 Apr 2008 15:03:10 -0400
Content-Disposition: inline
In-Reply-To: <20080414170613.GI7385@csclub.uwaterloo.ca>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Mon 14-04-08 13:06:13, Lennart Sorensen wrote:
> On Mon, Apr 14, 2008 at 06:53:54PM +0200, Jan Kara wrote:
> >   Well, but imagine you have a file /proc/my_secret_file from which you
> > are able to read from position A:a and B:b but not from position
> > A:b. Concievably, checks for the file position could be bypassed because of
> > this race... I know this is kind of dumb example but I can imagine someone
> > can eventually find something like this. So I guess one spin lock/unlock
> > pair is a price worth paying in the callpath which is quite long anyway.
> 
> But only two threads within the process can read from the filehandle and
> hence the process would be doing locking.  And external attacker can't
  Why would it be doing locking? If some nasty user runs the process, he
*wants* his two threads to race as much as possible and trigger the race.
And then use corrupted f_pos.

> break the internal locking of the process between the threads, and even
> if you do open the file in /proc that the process is using, being and
> external process you would have your own file handle and hence your own
> file position since you aren't part of that process.

								Honza
-- 
Jan Kara <jack@suse.cz>
SUSE Labs, CR