| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Sep 2017 08:53:16 -0400
From: Meng Xu <meng.xu@...ech.edu>
To: mingo@...hat.com, peterz@...radead.org,
linux-kernel@...r.kernel.org
Cc: meng.xu@...ech.edu, sanidhya@...ech.edu, taesoo@...ech.edu,
Meng Xu <mengxu.gatech@...il.com>
Subject: [PATCH] sched/core: Fix a potential double fetch bug on attr->size
From: Meng Xu <mengxu.gatech@...il.com>
`attr->size` after the second fetch `copy_from_user(attr, uattr, size)`,
can be different from what is initially fetched in and checked
`get_user(size, &uattr->size)` by racing condition in the userspace.
The issue and the patch are both similar to commit f12f42a
(in kernel/events/core.c).
Signed-off-by: Meng Xu <mengxu.gatech@...il.com>
---
kernel/sched/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 0869b20..c22d2b4 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4349,6 +4349,8 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a
if (ret)
return -EFAULT;
+ attr->size = size;
+
/*
* XXX: Do we want to be lenient like existing syscalls; or do we want
* to be strict and return an error on out-of-bounds values?
--
2.7.4
Powered by blists - more mailing lists