From: Andrew Morton <akpm@digeo.com>
To: Oleg Drokin <green@namesys.com>
Cc: Hans Reiser <reiser@namesys.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [BK][PATCH] ReiserFS CPU and memory bandwidth efficient large writes
Date: Sat, 14 Dec 2002 10:27:50 -0800 [thread overview]
Message-ID: <3DFB7826.D2EF0263@digeo.com> (raw)
In-Reply-To: 20021214144437.B13549@namesys.com
Oleg Drokin wrote:
>
> > > + if ( from != 0 ) {/* First page needs to be partially zeroed */
> > > + char *kaddr = kmap_atomic(prepared_pages[0], KM_USER0);
> > > + memset(kaddr, 0, from);
> > > + kunmap_atomic( kaddr, KM_USER0);
> > > + SetPageUptodate(prepared_pages[0]);
> > > + }
> > > + if ( to != PAGE_CACHE_SIZE ) { /* Last page needs to be partially zeroed */
> > > + char *kaddr = kmap_atomic(prepared_pages[num_pages-1], KM_USER0);
> > > + memset(kaddr+to, 0, PAGE_CACHE_SIZE - to);
> > > + kunmap_atomic( kaddr, KM_USER0);
> > > + SetPageUptodate(prepared_pages[num_pages-1]);
> > > + }
> > This seems wrong. This could be a newly-allocated pagecache page. It is not
> > yet fully uptodate. If (say) the subsequent copy_from_user gets a fault then
> > it appears that this now-uptodate pagecache page will leak uninitialised stuff?
>
> No, I do not see it. Even if we have somebody already mmapped this part of file,
> and he got enough of luck that subsequent copy_from_user gets a fault and then
> this someone gets to CPU and tries to access the page, the SIGBUS should happen
> because of access to mmaped area beyond end of file as we have not yet updated
> the file size note that we have this check before this code you pointed out:
> if ( (pos & ~(PAGE_CACHE_SIZE - 1)) > inode->i_size ) {
>
It is not related to mmap. The exploit would be to pass a partially
(or fully?) invalid (address, length) pair into the write() system call.
Something like:
fd = creat(...);
write(fd, 0, 4095); /* efault, instantiate 0'th page */
lseek(fd, 4096, SEEK_SET);
write(fd, "", 1); /* place the 0'th page inside i_size */
lseek(fd, 0, SEEK_SET);
read(fd, my_buffer, 4095); /* now what do we have? */
next prev parent reply other threads:[~2002-12-14 18:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-13 18:56 [BK][PATCH] ReiserFS CPU and memory bandwidth efficient large writes Hans Reiser
2002-12-13 21:40 ` Andrew Morton
2002-12-14 1:11 ` Hans Reiser
2002-12-14 11:44 ` Oleg Drokin
2002-12-14 18:27 ` Andrew Morton [this message]
2002-12-14 13:21 ` Oleg Drokin
2002-12-14 18:42 ` Andrew Morton
2002-12-14 19:20 ` Oleg Drokin
2002-12-14 20:10 ` Andrew Morton
2002-12-14 20:25 ` Oleg Drokin
2002-12-16 18:24 ` Chris Mason
2002-12-17 10:53 ` Oleg Drokin
2002-12-14 22:21 ` Hans Reiser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DFB7826.D2EF0263@digeo.com \
--to=akpm@digeo.com \
--cc=green@namesys.com \
--cc=linux-kernel@vger.kernel.org \
--cc=reiser@namesys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox