lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 07 Jul 2008 12:02:20 +0400
From:	Dmitri Monakhov <dmonakhov@...nvz.org>
To:	Andi Kleen <andi@...stfloor.org>
Cc:	linux-kernel@...r.kernel.org, jens.axboe@...cle.com
Subject: Re: [PATCH] loop: prevent get_user pages call from kernel thread(v2)

Andi Kleen <andi@...stfloor.org> writes:

> Dmitri Monakhov <dmonakhov@...nvz.org> writes:
>
>> Yes... everybody know that it is bad to write from kernel thread, and it is
>> madness to do it with O_DIRECT. But occasionly file with O_DIRECT flag
>> may be passed to loop device via LOOP_SET_FD. So if file-system has't
>> address_space ops, or simply hide it like GFS, it is possible to kill kernel
>> via two lines program. In fact we can't effectively guard kernel space by
>> deny O_DIRECT in loop's code, because user space can set it via
>> fcntl(,F_SETFL,). Let's simply add sanity check mm related logic.	
>
> Wouldn't it be better if loop simply dup()ed the file descriptor
> and then checked the flag?  Presumably other fd flags could
> do bad things inside loop too.
Off course this can't work because both fd refer to the same struct file.
man fcntl:
 File status flags
       Each open file description has certain associated status flags, ini-
       tialized  by  open(2) and possibly modified by fcntl(2).  Duplicated
       file descriptors (made with dup(2), fcntl(F_DUPFD),  fork(2),  etc.)
       refer  to  the  same  open file description, and thus share the same
       file status flags.
>
> -Andi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ