| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Jan 2013 11:50:56 +0800 From: Lingzhu Xiang <lxiang@...hat.com> To: Al Viro <viro@...IV.linux.org.uk> CC: Matt Fleming <matt.fleming@...el.com>, linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [RFC] efivars write(2) races On 01/25/2013 08:25 AM, Al Viro wrote: > 1) process A does write() on efivars file, reaches ->get_variable(), > gets newdatasize set, drops efivars->lock and loses CPU before an attempt to > grab ->i_mutex. process B comes and does the same thing, replacing the > variable contents. Then it grabs ->i_mutex, updates size, drops ->i_mutex > and buggers off. At which point A gets CPU back and proceeds to set size > to whatever would be valid for its write. Only the value is bogus now... There are a few other things that makes size bogus now. 1. truncate() never touches nvram but pretends to be changing size. 2. Empty files come back with non-zero size after remount. They are imported from sysfs when mounting. 3. Arguably reading empty files could just return empty instead of returning EIO/EFI_NOT_FOUND from firmware. 4. EFI_VARIABLE_APPEND_WRITE with EFI_OUT_OF_RESOURCES truncates size but you can still read its content. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists