From: Andrew Tridgell <tridge@valinux.com>
To: davem@redhat.com
Cc: zackw@stanford.edu, linux-kernel@vger.kernel.org
Subject: Re: 2.2 PATCH: check return from copy_*_user in fs/pipe.c
Date: Tue, 19 Jun 2001 21:33:48 -0700 (PDT) [thread overview]
Message-ID: <20010620043348.9B597474B@lists.samba.org> (raw)
In-Reply-To: <15152.1911.886630.381952@pizda.ninka.net> (davem@redhat.com)
In-Reply-To: <20010619184802.D5679@stanford.edu> <15152.1911.886630.381952@pizda.ninka.net>
Davem wrote:
> > The anonymous pipe code in 2.2 does not check the return value of
> > copy_*_user. This can lead to silent loss of data.
>
> I remember Andrew Tridgell (cc:'d) spotting this a long time
> ago, and we didn't fix it, and I forget what the reason was.
Linus didn't want to fix it in pipe.c until copy_from_user was fixed
on all architectures to zero any parts of the destination that were
not written to (due to the source being invalid). He didn't want us to
fix just this one case and then forget about fixing the general case
by fixing copy_*_user.
I had a sample program that was able to dump all of memory to a file
as an unprivileged user by using a combination of pipe/fork/mmap in a
loop. It exploited the fact that a write from NULL on a pipe would end
up leaving uninitialised data in the pipe buffer which could be read
by the program. The fork/mmap loop was used to traverse all pages by
consuming the last freed page after each pipe close. This could then
be used to grab passwords or other sensitive information from other
users.
Is copy_from_user now fixed on all architectures? If so, then maybe we
can finally check the error return in pipe.c. I think that not telling
a program that a write to a fd failed is pretty bogus.
Cheers, Tridge
next prev parent reply other threads:[~2001-06-20 4:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-06-20 2:08 2.2 PATCH: check return from copy_*_user in fs/pipe.c Zack Weinberg
2001-06-20 2:16 ` David S. Miller
2001-06-20 2:48 ` Zack Weinberg
2001-06-20 2:52 ` David S. Miller
2001-06-20 3:59 ` Zack Weinberg
2001-06-20 4:01 ` David S. Miller
2001-06-20 5:14 ` Linus Torvalds
2001-06-20 4:33 ` Andrew Tridgell [this message]
2001-06-20 15:52 ` Hugh Dickins
-- strict thread matches above, loose matches on Subject: below --
2001-06-21 3:26 Zack Weinberg
2001-06-21 3:44 ` David S. Miller
2001-06-21 6:10 ` Zack Weinberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20010620043348.9B597474B@lists.samba.org \
--to=tridge@valinux.com \
--cc=davem@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=zackw@stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox