From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752590Ab2GVUDy (ORCPT ); Sun, 22 Jul 2012 16:03:54 -0400 Received: from mx1.redhat.com ([209.132.183.28]:48961 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752429Ab2GVUDw (ORCPT ); Sun, 22 Jul 2012 16:03:52 -0400 Date: Sun, 22 Jul 2012 22:00:49 +0200 From: Oleg Nesterov To: Djalal Harouni Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Al Viro , Andrew Morton , Vasiliy Kulikov , WANG Cong , Solar Designer , Kees Cook Subject: Re: [PATCH] proc: do not allow negative offsets on /proc//environ Message-ID: <20120722200049.GA29222@redhat.com> References: <1342974959-2748-1-git-send-email-tixxdz@opendz.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1342974959-2748-1-git-send-email-tixxdz@opendz.org> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/22, Djalal Harouni wrote: > > __mem_open() which is called by both /proc//environ and > /proc//mem ->open() handlers will allow the use of negative offsets. > /proc//mem has negative offsets but not /proc//environ. Probablt the patch makes sense, but I can't understand the changelog... > Allowing negative offsets on /proc//environ can turn it to act like > /proc//mem. A negative offset will pass the > fs/read_write.c:lseek_execute() and the environ_read() checks and will > point to another VMA. which VMA? environ_read() can only read the memory from [env_start, env_end], and it should check *ppos anyway to ensure it doesn't read something else. > static int mem_open(struct inode *inode, struct file *file) > { > - return __mem_open(inode, file, PTRACE_MODE_ATTACH); > + int ret = __mem_open(inode, file, PTRACE_MODE_ATTACH); > + if (!ret) > + /* OK to pass negative loff_t, we can catch out-of-range */ > + file->f_mode |= FMODE_UNSIGNED_OFFSET; > + > + return ret; I guess you can set FMODE_UNSIGNED_OFFSET unconditionally, it doesn't matter if __mem_open() fails. But I won't insist. Oleg.