lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAMOw1v5sAAP1QD9XcidKGpp6Duz=PXf_LC0C8vve7PPSBzez3g@mail.gmail.com>
Date:	Thu, 7 Mar 2013 18:35:44 -0300
From:	Lucas De Marchi <lucas.demarchi@...fusion.mobi>
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	linux-kernel@...r.kernel.org, David Howells <dhowells@...hat.com>,
	James Morris <james.l.morris@...cle.com>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] usermodehelper: Fix -ENOMEM return logic

On Thu, Mar 7, 2013 at 5:07 PM, Oleg Nesterov <oleg@...hat.com> wrote:
> On 03/07, Lucas De Marchi wrote:
>>
>> On Thu, Mar 7, 2013 at 4:37 PM, Oleg Nesterov <oleg@...hat.com> wrote:
>> >
>> >> @@ -98,12 +93,13 @@ static int call_modprobe(char *module_name, int wait)
>> >>       argv[3] = module_name;  /* check free_modprobe_argv() */
>> >>       argv[4] = NULL;
>> >>
>> >> -     return call_usermodehelper_fns(modprobe_path, argv, envp,
>> >> -             wait | UMH_KILLABLE, NULL, free_modprobe_argv, NULL);
>> >> +     ret = call_usermodehelper(modprobe_path, argv, envp,
>> >> +                               wait | UMH_KILLABLE);
>> >> +     kfree(module_name);
>> >
>> > Please note UMH_KILLABLE. call_usermodehelper() can be interrupted
>> > and even UMH_WAIT_EXEC case is not safe. If call_modprobe() is killed
>> > we can return while the workqueue thread still tries to clone/exec/etc.
>>
>> Even if it's killed, we would just free the resource we allocated
>> before.
>
> Yes, and after that ____call_usermodehelper() can do
> do_execve(module_name) ?
>
>> It would not be safe if we allocated in the init function and
>> freed in the cleanup.
>
> But we do? We free this memory in cleanup ? And I was allocated by us.
>
> sub_info itself can't go away (if you meant this), but
> sub_info->path/argv/envp can.

Oh... you are right - the UMH_KILLABLE is the problem here. Dunno what
I was thinking :-/. I will fix my pending the patches.

thanks
Lucas De Marchi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ