lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 07 May 2007 11:26:44 +1000
From:	Rusty Russell <rusty@...tcorp.com.au>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	lkml - Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: get_user_pages vs mmap MAP_FIXED bug

On Sun, 2007-05-06 at 17:01 +1000, Rusty Russell wrote:
> This bug is in 2.6.21-rc7-mm2, but not 2.6.21.  Haven't tested
> 2.6.21-mm1 yet.

OK, 2.6.21-mm1 fails too.  2.6.21-git6 ... is fine.

Here's a standalone test using ptrace.  No kernel module req'd.

	rusty@...ussy:~/linux-2.6.21-mm1$ ../examiner 
	ptrace says 0, child says 0x464c457f

Any clues Andrew?  Or should I take your patches and do a binary search?

Cheers,
Rusty.

/* Make with gcc -o examine_mmap examine_mmap.c */
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ptrace.h>
#include <signal.h>
#include <err.h>
#include <errno.h>

/* Compare ptrace (ie. get_user_pages()) result with what process
 * actually sees. */
int main(int argc, char *argv[])
{
	long int *p, res1, res2;
	int fd, child;
	int child2parent[2], parent2child[2];
	char c = 0;

	pipe(child2parent);
	pipe(parent2child);

	if ((child = fork()) == 0) {

		/* Grab some file to mmap. */
		fd = open(argv[0], O_RDONLY);
		if (fd < 0)
			err(1, "open");

		/* Map one page of it at 4096 */
		p = (void *)4096;
		if (mmap(p, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, fd, 0) != p)
			err(1, "mmap");

		/* This makes it work. */
		if (argc > 1 && strcmp(argv[1], "--touch") == 0)
			printf("Before: %p == %li\n", p, *p);

		/* Allow parent to trace me. */
		if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0)
			err(1, "PTRACE_TRACEME");

		/* Tell parent to look at memory, and wait for response. */
		write(child2parent[1], &c, 1);
		read(parent2child[0], &c, 1);

		/* Write what we see to pipe */
		write(child2parent[1], p, sizeof(*p));
		exit(0);
	}

	/* Wait for child to be ready. */
	read(child2parent[0], &c, 1);

	/* Child needs to be stopped.  What a POS. */
	kill(child, SIGSTOP);
	sleep(1);

	/* Get ptrace to tell us what the kernel thinks the value is */
	res1 = ptrace(PTRACE_PEEKDATA, child, (void *)4096, NULL);

	/* Continue the child. */
	ptrace(PTRACE_DETACH, child, NULL, NULL);

	/* Tell the child to continue. */
	write(parent2child[1], &c, 1);

	/* Get the child's opinion of what the value is. */
	read(child2parent[0], &res2, sizeof(res2));

	printf("ptrace says %#lx, child says %#lx\n", res1, res2);
	exit(res1 == res2 ? 0 : 1);
}


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ