lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20060907143513.7024c15c.akpm@osdl.org>
Date:	Thu, 7 Sep 2006 14:35:13 -0700
From:	Andrew Morton <akpm@...l.org>
To:	James Cross <james_cross@...antec.com>
Cc:	Jens Axboe <axboe@...e.de>,
	Andries Brouwer <Andries.Brouwer@....nl>,
	linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>,
	Christoph Hellwig <hch@....de>
Subject: Re: [PATCH] fix /proc/partitions oops

On Thu, 7 Sep 2006 17:04:20 +0100 (BST)
James Cross <james_cross@...antec.com> wrote:

> If show_partition happens to race with re-reading a partition table
> (rescan_partitions), sgp->part[n] can become NULL just after it's been
> tested, and so cause an oops: read it once (and read nr_sects just the
> once too, to avoid a chance of showing 0).
> 

OK.

> 
>  block/genhd.c |   12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> --- 2.6.18-rc6/block/genhd.c.orig	2006-09-07 12:14:32.183218000 +0100
> +++ 2.6.18-rc6/block/genhd.c	2006-09-07 12:15:16.134498000 +0100
> @@ -261,14 +261,18 @@ static int show_partition(struct seq_fil
>  		(unsigned long long)get_capacity(sgp) >> 1,
>  		disk_name(sgp, 0, buf));
>  	for (n = 0; n < sgp->minors - 1; n++) {
> -		if (!sgp->part[n])
> +		struct hd_struct *partn;
> +		unsigned long long nr_sects;
> +
> +		partn = sgp->part[n];
> +		if (!partn)
>  			continue;
> -		if (sgp->part[n]->nr_sects == 0)
> +		nr_sects = partn->nr_sects;
> +		if (nr_sects == 0)
>  			continue;
>  		seq_printf(part, "%4d  %4d %10llu %s\n",
>  			sgp->major, n + 1 + sgp->first_minor,
> -			(unsigned long long)sgp->part[n]->nr_sects >> 1 ,
> -			disk_name(sgp, n + 1, buf));
> +			nr_sects >> 1, disk_name(sgp, n + 1, buf));
>  	}
>  
>  	return 0;

But that'll leave us reading possibly-freed memory.

I expect the correct way to fix this is with locking: the /proc/partitions
reading code needs to lock down the partition information while it's
reading it.

AFAICT the appropriate lock to take is the bdev->bd_mutex on the blockdev
which represents the "whole" disk.  But I'm not sure whether that's
correct, nor what the official way is of hunting down that block_device*,
nor whether the code in do_open() is managing to take the correct lock.

Cc's hopefully added.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ