| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 27 Dec 2008 14:16:08 +0900 From: Akinobu Mita <akinobu.mita@...il.com> To: linux-kernel@...r.kernel.org Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "H. Peter Anvin" <hpa@...or.com> Subject: [PATCH 0/4] x86: fix free_thread_info() with uninitalized thread_info This patch series fixes a problem described below. The actual fix is only made by the patch 3/4. The rest of patches help it make simple and there is no actual behavioral change. x86 arch specific free_thread_info() accesses thread_info->task to call free_thread_xstate(). But the thread_info may not be initialized yet. So invalid pointer derefence may happen in free_thread_xstate(). It happens in the following scenario in dup_task_struct() 1. call alloc_task_struct() to allocate empty task_struct 2. call alloc_thread_info() to allocate empty thread_info 3. call arch_dup_task_struct() x86 arch specific arch_dup_task_struct() copies task_struct from source task_struct. it also allocates empty xstate and copy from source if source task_struct has ->thread.xstate. If the xstate allocation failed, arch_dup_task_struct() returns error. 4. call free_thread_info() to deallocate thread_info x86 arch specific free_thread_info() calls free_thread_xstate() with thread_info->task. But the thread_info is not initialized yet. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists