| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Jan 2007 21:20:58 +1100 From: Nick Piggin <nickpiggin@...oo.com.au> To: linux-kernel <linux-kernel@...r.kernel.org>, Linux Memory Management <linux-mm@...ck.org>, David Howells <dhowells@...hat.com>, Hugh Dickins <hugh@...itas.com>, Andrew Morton <akpm@...l.org> Subject: page_mkwrite caller is racy? Hi, After do_wp_page calls page_mkwrite on its target (old_page), it then drops the reference to the page before locking the ptl and verifying that the pte points to old_page. Unfortunately, old_page may have been truncated and freed, or reclaimed, then re-allocated and used again for the same pagecache position and faulted in read-only into the same pte by another thread. Then you will have a situation where page_mkwrite succeeds but the page we use is actually a readonly one. Moving page_cache_release(old_page) to below the next statement will fix that problem. But it is sad that this thing got merged without any callers to even know how it is intended to work. Must it be able to sleep? Nick -- SUSE Labs, Novell Inc. Send instant messages to your online friends http://au.messenger.yahoo.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists