From: Andrea Arcangeli <andrea@suse.de>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Chris Friesen <cfriesen@nortelnetworks.com>,
Raphael Rigo <raphael.rigo@inp-net.eu.org>,
linux-kernel@vger.kernel.org
Subject: Re: New do_mremap vulnerabitily.
Date: Thu, 19 Feb 2004 00:49:16 +0100 [thread overview]
Message-ID: <20040218234916.GU4478@dualathlon.random> (raw)
In-Reply-To: <Pine.LNX.4.58.0402181424120.2686@home.osdl.org>
On Wed, Feb 18, 2004 at 02:26:45PM -0800, Linus Torvalds wrote:
>
>
> On Wed, 18 Feb 2004, Chris Friesen wrote:
> >
> > There is still a call to do_munmap() that does not check the return
> > code, called from move_vma(), which in turn is called in do_mremap().
> >
> > Can that call ever fail and cause Bad Things to happen?
>
> Yes it can fail, and no, bad things can't happen. We could return the
> error code to user space, but on the other hand, by the time the munmap
> fails we would already have done 90% of the mremap(), so it doesn't much
> help user space to know that the old area still has a vma, but no pages
> associated with it.
which is a bug, mremap has to retire fully and it's not doing that
(obviously we don't want to write a retirement logic, we only want to
preallocate whatever needed so we don't need to retire), but it's not a
bad bug, since it only matters for real apps, an real apps will only
fall into this do_munamp due the oom condition, which isn't going to
trigger in do_munmap anyways, and even in the unlikely case that it does
it is extremly unlikely to generate an exploitable hole in the real (non
malicious) app.
next prev parent reply other threads:[~2004-02-18 23:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-18 15:26 New do_mremap vulnerabitily Raphael Rigo
2004-02-18 17:56 ` Linus Torvalds
2004-02-18 22:13 ` Chris Friesen
2004-02-18 22:26 ` Linus Torvalds
2004-02-18 23:49 ` Andrea Arcangeli [this message]
2004-02-18 23:46 ` Andrea Arcangeli
-- strict thread matches above, loose matches on Subject: below --
2004-02-18 17:08 Ulrich Keil
2004-02-18 18:43 ` Chris Friesen
2004-02-18 20:20 ` Richard B. Johnson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040218234916.GU4478@dualathlon.random \
--to=andrea@suse.de \
--cc=cfriesen@nortelnetworks.com \
--cc=linux-kernel@vger.kernel.org \
--cc=raphael.rigo@inp-net.eu.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox