lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070517050436.GN4095@ftp.linux.org.uk>
Date:	Thu, 17 May 2007 06:04:36 +0100
From:	Al Viro <viro@....linux.org.uk>
To:	sk b <skb300@...mail.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: user pointers and race conditions

On Wed, May 16, 2007 at 10:56:22PM -0600, sk b wrote:
> 
> Hello,
> 
> I'm wondering whether there is an exploitable TOCTTOU race condition in the way user pointers are handled in the kernel. Consider the following code:
> 
> 1: struct st { int *u; };
> 2: void syscall(struct st * stp) {
> 3:        if (!access_ok(VERIFY_READ,stp,sizeof(struct st)))
> 4:                return;
> 5:        if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))

... and there's your bug - direct access to userland data.  The normal
variant is to use accessors (get_user() or copy_from_user()) to fetch
the value of stp->u.  At which point races of the kind you mentioned
take an obviously dumb code (explicitly copying the same struct from
userland _twice_).

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ