| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Oct 2012 11:15:52 -0400 From: Dave Jones <davej@...hat.com> To: Linux Kernel <linux-kernel@...r.kernel.org>, bhutchings@...arflare.com, linux-mm@...ck.org, Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: mpol_to_str revisited. On Mon, Oct 08, 2012 at 11:09:49AM -0400, Dave Jones wrote: > Last month I sent in 80de7c3138ee9fd86a98696fd2cf7ad89b995d0a to remove > a user triggerable BUG in mempolicy. > > Ben Hutchings pointed out to me that my change introduced a potential leak > of stack contents to userspace, because none of the callers check the return value. > > This patch adds the missing return checking, and also clears the buffer beforehand. > > Reported-by: Ben Hutchings <bhutchings@...arflare.com> > Cc: stable@...nel.org > Signed-off-by: Dave Jones <davej@...hat.com> > > --- > unanswered question: why are the buffer sizes here different ? which is correct? A further unanswered question is how the state got so screwed up that we hit that default case at all. Looking at the original report: https://lkml.org/lkml/2012/9/6/356 What's in RAX looks suspiciously like left-over slab poison. If pol->mode was poisoned, that smells like we have a race where policy is getting freed while another process is reading it. Am I missing something, or is there no locking around that at all ? Dave -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists