[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Oct 2009 15:32:35 +0900
From: KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>
To: Bryan Donlan <bdonlan@...il.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org, Ulrich Drepper <drepper@...hat.com>,
linux-api@...r.kernel.org, Timo Sirainen <tss@....fi>
Subject: Re: [resend][PATCH] Added PR_SET_PROCTITLE_AREA option for prctl()
(Doh, I've forgot cc to original author. sorry. cc to timo.)
Hi
very interesting discussion. great.
2009/10/10 Bryan Donlan <bdonlan@...il.com>:
> On Fri, Oct 9, 2009 at 10:42 PM, Andrew Morton
> <akpm@...ux-foundation.org> wrote:
>
>>> >> + __ __ __ __ __ __ __ __ __ __ __ __ __ __ res += access_process_vm(task, mm->env_start,
>>
>> Your email client is converting tabs to non-ascii crap. gmail. Sigh.
>
> Weird ... I'll have to see if I can do something about that :/
>
>> OK.
>>
>> But there's no way in which the reader of either the patch or the
>> resulting code can discover this subtlety.
>
> I didn't write the log message or the code - I just mentioned these
> same issues back in the lkml thread :) But yes, this should be
> mentioned somewhere.
>
This is documented in access_process_vm.
3224/*
3225 * Access another process' address space.
3226 * Source/target buffer must be kernel space,
3227 * Do not walk the page table directly, use get_user_pages
3228 */
3229int access_process_vm(struct task_struct *tsk, unsigned long addr,
void *buf, int len, int write)
3230{
3231 struct mm_struct *mm;
3232 struct vm_area_struct *vma;
3233 void *old_buf = buf;
3234
3235 mm = get_task_mm(tsk);
3236 if (!mm)
3237 return 0;
3238
3239 down_read(&mm->mmap_sem);
3240 /* ignore errors, just check how much was successfully
transferred */
3241 while (len) {
However, yes, it is pretty bad place ;)
/* ignore errors, just check how much was successfully transferred */
comment should
be placed in function header comment.
I think separate another patch is better.
>>> The solution is to use the seqlock to detect this, and prevent the
>>> secret information from ever making it back to process B's userspace.
>>> Note that it's not enough to just recheck arg_start, as process A may
>>> reassign the proctitle area back to its original position after having
>>> it somewhere else for a while.
>>
>> Well seqlock is _a_ solution. Another is to use a mutex or an rwsem
>> around the whole operation.
>>
>> With the code as you propose it, what happens if a process sits in a
>> tight loop running setproctitle? Do other processes running `ps' get
>> stuck in a livelock until the offending process gets scheduled out?
>
> It does seem like a maximum spin count should be put in there - and
> maybe a timeout as well (since with FUSE etc it's possible to engineer
> page faults that take arbitrarily long).
> Also, it occurs to me that:
makes sense.
I like maximum spin rather than timeout.
>> + do {
>> + seq = read_seqbegin(&mm->arg_lock);
>> +
>> + len = mm->arg_end - mm->arg_start;
>> + if (len > PAGE_SIZE)
>> + len = PAGE_SIZE;
>
> If arg_end or arg_start are modified after this, is it truly safe to
> assume that len will remain <= PAGE_SIZE without a memory barrier
> before the conditional?
1) access_process_vm() doesn't return error value.
2) read_seqretry(&mm->arg_lock, seq)) check seq, not mm->arg_start or len.
then, if arg_{start,end} is modified, access_process_vm() may return 0
and strnlen
makes bad calculation, but read_seqretry() can detect its modify
rightly. I think.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists