lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 20 Feb 2007 07:14:08 -0800
From:	Stephane Eranian <eranian@....hp.com>
To:	Nick Piggin <npiggin@...e.de>
Cc:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [patch] perfmon ia64: fix file/vma lifetime

Nick,

On Tue, Feb 20, 2007 at 04:08:45PM +0100, Nick Piggin wrote:
> On Tue, Feb 20, 2007 at 06:34:54AM -0800, Stephane Eranian wrote:
> > nick,
> > 
> > On Tue, Feb 20, 2007 at 03:18:56PM +0100, Nick Piggin wrote:
> > > From: Nick Piggin <npiggin@...e.de>
> > > 
> > > Perfmon associates vmalloc()ed memory with a file descriptor, and installs
> > > a vma mapping that memory. Unfortunately, the vm_file field is not filled in,
> > > so processes with mappings to that memory do not prevent the file from being
> > > closed and the memory freed. This results in use-after-free bugs and multiple
> > > freeing of pages, etc.
> > > 
> > > I saw this bug on an Altix on SLES9. Haven't reproduced upstream but it looks
> > > like the same issue is there.
> > > 
> > 
> > I think this is possible for the old perfmon v2.0 codebase that is currently in
> > mainline for IA-64.
> 
> OK, I take that as an Ack? (the patch definitely applies, I just can't
> get the Altix to boot 2.6.20 to verify it).
> 
> > I have corrected this with the multi-arch v2.3 code base 
> > available as a  kernel patch for the moment.
> 
> Not that I've looked at the code, but can I be hopeful that v2.3
> using the traditional mmap file operation to set up the vma and map
> in pages, rather than the way that v2.0 works?
> 

It does. You need an explicit mmap()  call.

-- 

-Stephane
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ