[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200804101737.16825.mhocko@suse.cz>
Date: Thu, 10 Apr 2008 17:37:16 +0200
From: Michal Hocko <mhocko@...e.cz>
To: Jan Kara <jack@...e.cz>
Cc: Jiri Kosina <jkosina@...e.cz>, Meelis Roos <mroos@...ux.ee>,
Linux Kernel list <linux-kernel@...r.kernel.org>,
linux-fsdevel@...r.kernel.org
Subject: Re: file offset corruption on 32-bit machines?
On Thursday 10 April 2008 05:19:45 pm Jan Kara wrote:
> > On Thu, 10 Apr 2008, Jan Kara wrote:
> > > > The f_pos races are in fact exploitable, we've already been there.
> > > > See for example
> > > > http://www.isec.pl/vulnerabilities/isec-0016-procleaks.txt
> > >
> > > Well, this race is more subtle - the window is just one instruction
> > > wide (stores to f_pos from CPU2 must come between the store of lower
> > > and upper 32-bits of f_pos on CPU1). And the only result is that f_pos
> > > has 32-bits from one file pointer and 32-bits from the other one. So I
> > > can hardly imagine this would be exploitable...
> >
> > Supposing you are not holding any spinlock and are running with
> > preemptible kernel (pretty common scenario nowadays), there is nothing
> > that would prevent kernel from rescheduling between the two instructions,
> > enlarging the race window to be more comfortable for attacker, right?
>
> Yes, this is theoretically possible.
>
> > I think this is worth fixing.
>
> Hmm, maybe it is, although I still don't see how to exploit it :).
Maybe (just guess) some high priority malicious process could try to preempt
reading thread to always in the bad moment (when the half of the f_pos is
written) and thus forcing it to read bad data (you usually don't check that
file position is growing after each read and you wait only for end of the
file).
But do agree, I still don't see something with really security implications
(privileged processes usually don't work with such a big files).
>
> Honza
Best regards
--
Michal Hocko
SUSE LINUX s.r.o.
Lihovarska 1060/12
190 00 Praha 9
Czech Republic
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists