From: Petr Tesarik <ptesarik@suse.cz>
To: linux-ia64@vger.kernel.org
Subject: Re: [PATCH] ptrace RSE bug
Date: Wed, 14 Nov 2007 07:55:38 +0000 [thread overview]
Message-ID: <473AA9FA.6020308@suse.cz> (raw)
In-Reply-To: <1188357710.22637.7.camel@sli10-conroe.sh.intel.com>
[-- Attachment #1: Type: text/plain, Size: 1268 bytes --]
Roland McGrath wrote:
>> I found it extremely difficult to trigger the race condition without the
>> articifial test - arch_ptrace_stop() only sleeps if the user page is not
>> present, but in the common case the register stack backing store will
>> have been quite recently accessed by the process.
>
> It is supposed to be a rare race, after all. :-) We're just being thorough
> to cover it, not that it ever actually happened in practice or was expected to.
>
>> It should be possible to create a large file, flush the page cache, put
>> the RSE into lazy mode, flush it and map the register stack from that
>> file, so that no memory accesses to the backing store are done before
>> ptrace_stop(), but for the time being I placed an msleep(100) after
>> arch_ptrace_stop().
>
> And then make the file so mapped be from a broken NFS or FUSE or somesuch
> mount that actually blocks forever on the fault. That would be the
> probable style of a DoS attack exploiting this to create unkillable processes.
That's exactly what I did. FUSE doesn't implement mmap (guess why), but
I was able to trigger the race even with a working NFS after tweaking
the timing a bit. I'm attaching the test case I used (the NFS volume was
mounted on /nfs).
Regards,
Petr Tesarik
[-- Attachment #2: sigkill-race.tar.gz --]
[-- Type: application/gzip, Size: 1916 bytes --]
next prev parent reply other threads:[~2007-11-14 7:55 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-29 3:21 [PATCH] ptrace RSE bug Shaohua Li
2007-08-29 7:10 ` Roland McGrath
2007-08-29 7:29 ` Matthew Chapman
2007-08-29 8:01 ` Roland McGrath
2007-09-05 16:25 ` Petr Tesarik
2007-09-06 3:16 ` Shaohua Li
2007-09-06 13:59 ` Petr Tesarik
2007-09-07 1:02 ` Shaohua Li
2007-09-07 8:26 ` Petr Tesarik
2007-09-07 15:11 ` David Mosberger-Tang
2007-09-11 8:39 ` Shaohua Li
2007-10-17 14:56 ` Petr Tesarik
2007-10-17 19:48 ` Petr Tesarik
2007-10-17 19:55 ` Petr Tesarik
2007-10-18 1:54 ` Shaohua Li
2007-10-18 10:59 ` Petr Tesarik
2007-10-18 16:02 ` Christoph Hellwig
2007-10-19 7:30 ` Shaohua Li
2007-10-19 19:42 ` Petr Tesarik
2007-10-24 3:34 ` Shaohua Li
2007-10-24 23:38 ` Luck, Tony
2007-10-25 0:38 ` Shaohua Li
2007-11-12 2:14 ` Roland McGrath
2007-11-12 15:41 ` Petr Tesarik
2007-11-12 16:11 ` Petr Tesarik
2007-11-13 0:30 ` Roland McGrath
2007-11-13 11:07 ` Petr Tesarik
2007-11-14 5:38 ` Shaohua Li
2007-11-14 6:47 ` Roland McGrath
2007-11-14 7:37 ` Petr Tesarik
2007-11-14 7:40 ` Roland McGrath
2007-11-14 7:53 ` Petr Tesarik
2007-11-14 7:55 ` Petr Tesarik [this message]
2007-11-14 11:09 ` Roland McGrath
2007-11-16 20:05 ` Petr Tesarik
2007-11-18 3:08 ` Roland McGrath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=473AA9FA.6020308@suse.cz \
--to=ptesarik@suse.cz \
--cc=linux-ia64@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox