lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACVXFVOKi=wKsLP850XJ95P=e1B2z+CP=t0GATCZL0gNDOCwnA@mail.gmail.com>
Date:	Sun, 17 Mar 2013 09:02:09 +0800
From:	Ming Lei <tom.leiming@...il.com>
To:	Sasha Levin <levinsasha928@...il.com>
Cc:	Hillf Danton <dhillf@...il.com>, Dave Jones <davej@...hat.com>,
	Greg Kroah-Hartman <greg@...ah.com>,
	Linux Kernel <linux-kernel@...r.kernel.org>
Subject: Re: use after free in sysfs_find_dirent

On Sun, Mar 17, 2013 at 2:33 AM, Sasha Levin <levinsasha928@...il.com> wrote:
>
> I don't think it shows what we want it to show thought:
>
> [  327.416905] Pid: 10504, comm: trinity-child98 Tainted: G        W    3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #301
> [  327.418815] Call Trace:
> [  327.419255]  [<ffffffff812f880e>] release_sysfs_dirent+0x4e/0x120
> [  327.420595]  [<ffffffff812f89d2>] sysfs_dir_pos+0x92/0x130
> [  327.421608]  [<ffffffff812f8b8d>] sysfs_readdir+0x11d/0x280
> [  327.422562]  [<ffffffff8128b070>] ? SyS_ioctl+0xa0/0xa0
> [  327.423441]  [<ffffffff8128b070>] ? SyS_ioctl+0xa0/0xa0
> [  327.424314]  [<ffffffff8128b3e8>] vfs_readdir+0x78/0xc0
> [  327.425263]  [<ffffffff8128b54c>] SyS_getdents+0x8c/0x110
> [  327.426173]  [<ffffffff83d919d8>] tracesys+0xe1/0xe6
>

Sasha, looks there is a race when sys_readdir() is run concurrently
on same directory, and the below patch may fix the race, could you test the
attachment patch to see if the use after free can be fixed?


Thanks,
-- 
Ming Lei

Download attachment "sysfs-fix-readdir.patch" of type "application/octet-stream" (1593 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ