From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753089AbcAGJxI (ORCPT ); Thu, 7 Jan 2016 04:53:08 -0500 Received: from mail-lb0-f179.google.com ([209.85.217.179]:34556 "EHLO mail-lb0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753001AbcAGJxB (ORCPT ); Thu, 7 Jan 2016 04:53:01 -0500 Date: Thu, 7 Jan 2016 12:52:56 +0300 From: Cyrill Gorcunov To: Mateusz Guzik Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, Alexey Dobriyan , Jarod Wilson , Jan Stancek , Andrew Morton , Al Viro Subject: Re: [PATCH 0/2] fix up {arg,env}_{start,end} vs prctl Message-ID: <20160107095256.GA4306@uranus> References: <1452056549-10048-1-git-send-email-mguzik@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1452056549-10048-1-git-send-email-mguzik@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 06, 2016 at 06:02:27AM +0100, Mateusz Guzik wrote: > An unprivileged user can trigger an oops on a kernel with > CONFIG_CHECKPOINT_RESTORE. > > proc_pid_cmdline_read takes mmap_sem for reading and obtains args + env > start/end values. These get sanity checked as follows: > BUG_ON(arg_start > arg_end); > BUG_ON(env_start > env_end); > > These can be changed by prctl_set_mm. Turns out also takes the semaphore for > reading, effectively rendering it useless. This results in: Thanks a lot for catching it! You know I tried to escape taking sem for writing as long as I could so another option might be simply zap these BUG_ON and rather exit with -EINVAL. On the other hands modification under read-lock of course is not correct in terms of "general approach" but these members are special so I took a risk. Anyway, Acked-by: Cyrill Gorcunov Thanks again.