lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LFD.2.01.0908151036290.3162@localhost.localdomain>
Date:	Sat, 15 Aug 2009 10:52:39 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Eric Paris <eparis@...hat.com>
cc:	Christoph Thielecke <christoph.thielecke@....de>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Al Viro <viro@...IV.linux.org.uk>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	"Rafael J. Wysocki" <rjw@...k.pl>
Subject: Re: kernel bugs 2.6.31-rc6



On Sat, 15 Aug 2009, Linus Torvalds wrote:
> 
> For example, fsnotify_remove_priv_from_event() will remove the private 
> data event from the list, but what if there are _multiple_ entries with 
> the same 'group' entry? If so, it will remove just the first one.

Hmm. Looking closer, that shouldn't much matter. Each time we added an 
entry in private_data_list, we would have done a 
'fsnotify_get_event(event)' due to adding it to the 'golder->event_list'.

That said, there does seem to be some dubious code there. For example, 
in 'inotify_ignored_and_remove_idr()', we do this:

        fsnotify_add_notify_event(group, ignored_event, fsn_event_priv);

        /* did the private data get added? */
        if (list_empty(&fsn_event_priv->event_list))
                inotify_free_event_priv(fsn_event_priv);

and we do it without holding any locks at all. So as far as I can tell, 
what could happen is that 'fsnotify_add_notify_event()' actually adds the 
private event (fsn_event_priv), but then before we check that the 
event_list is empty, another user (on another CPU, or preempted on the 
same CPU - Christoph has both PREEMPT and SMP on) comes along, picks up 
the private event and frees it (and re-uses it).

That looks like a pretty small window, but preemption could make it much 
bigger. Who knows? Maybe there are other things like that.

And maybe I'm just full of sh*t, and the above can't even happen for some 
reason I'm missing.

		Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ