| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 03 Sep 2010 19:41:32 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
Cc: Ingo Molnar <mingo@...e.hu>, Steven Rostedt <rostedt@...dmis.org>,
Randy Dunlap <rdunlap@...otime.net>,
Arnaldo Carvalho de Melo <acme@...radead.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Christoph Hellwig <hch@...radead.org>,
Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
Oleg Nesterov <oleg@...hat.com>,
Mark Wielaard <mjw@...hat.com>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Naren A Devaiah <naren.devaiah@...ibm.com>,
Jim Keniston <jkenisto@...ux.vnet.ibm.com>,
Frederic Weisbecker <fweisbec@...il.com>,
"Frank Ch. Eigler" <fche@...hat.com>,
Ananth N Mavinakayanahalli <ananth@...ibm.com>,
LKML <linux-kernel@...r.kernel.org>,
"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
Subject: Re: [PATCHv11 2.6.36-rc2-tip 3/15] 3: uprobes: Slot allocation
for Execution out of line(XOL)
On Fri, 2010-09-03 at 22:56 +0530, Srikar Dronamraju wrote:
>
>
> static unsigned long xol_get_insn_slot(struct user_bkpt *user_bkpt,
> struct uprobes_xol_area *xol_area)
> {
> unsigned long flags, xol_vaddr = 0;
> int len;
>
> if (unlikely(!xol_area))
> return 0;
>
> smp_rmb();
> if (user_bkpt->xol_vaddr)
> return user_bkpt->xol_vaddr;
>
> spin_lock_irqsave(&xol_area->lock, flags);
> xol_vaddr = xol_take_insn_slot(xol_area);
> spin_unlock_irqrestore(&xol_area->lock, flags);
>
> /*
> * Initialize the slot if user_bkpt->vaddr points to valid
> * instruction slot.
> */
> if (!xol_vaddr)
> return 0;
>
> len = access_process_vm(current, xol_vaddr, user_bkpt->insn,
> UPROBES_XOL_SLOT_BYTES, 1);
> if (unlikely(len < UPROBES_XOL_SLOT_BYTES))
> printk(KERN_ERR "Failed to copy instruction at %#lx "
> "len = %d\n", user_bkpt->vaddr, len);
>
> /*
> * Update user_bkpt->xol_vaddr after giving a chance for the slot to
> * be initialized.
> */
> smp_mb();
> user_bkpt->xol_vaddr = xol_vaddr;
> return user_bkpt->xol_vaddr;
> }
Racy like you won't believe..
Suppose multiple threads hitting the trap at the same time, every thread
will end up failing the check and allocating a new slot for it, at the
end the slowest thread will end up setting the value.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists