lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20070330134359.ec6d95bc.akpm@linux-foundation.org>
Date:	Fri, 30 Mar 2007 13:43:59 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Brian Pomerantz <bapper@...atehaven.org>
Cc:	viro@...iv.linux.org.uk, linux-kernel@...r.kernel.org,
	Nick Piggin <nickpiggin@...oo.com.au>,
	Hugh Dickins <hugh@...itas.com>
Subject: Re: [PATCH] fix page leak during core dump

On Thu, 29 Mar 2007 13:39:13 -0700
Brian Pomerantz <bapper@...atehaven.org> wrote:

> When the dump cannot occur most likely because of a full file system
> and the page to be written is the zero page, the call to
> page_cache_release() is missed.
> 
> Signed-off-by: Brian Pomerantz <bapper@...sta.com>
> 
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index a2fceba..9cc4f0a 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -1704,7 +1704,10 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file)
>  				DUMP_SEEK(PAGE_SIZE);
>  			} else {
>  				if (page == ZERO_PAGE(addr)) {
> -					DUMP_SEEK(PAGE_SIZE);
> +					if (!dump_seek(file, PAGE_SIZE)) {
> +						page_cache_release(page);
> +						goto end_coredump;
> +					}

Oh for gawds sake I wish we could be rid of those idiotic macros :(

This patch looks OK to me, although a refcount leak on the ZERO_PAGE is
special, because that page is PageReserved().

It used to be the case that we'd ignore attempts to change the refcount on
reserved pages (or at least on the ZERO_PAGE), but we changed that, so we
now actually refcount the ZERO_PAGE.  (I think, from a quick read of the
code.  This contradicts my memory of how it works).

So I expect the net effect here is that a sufficiently determined attacker
can overflow the ZERO_PAGE's refcount, thus causing it to be "freed".  The
page allocator won't actually free the page due to PG_Reserved, but it'll
all become very noisy.

Nick, Hugh: agree?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ