lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150527222941.GA28699@p183.telecom.by>
Date:	Thu, 28 May 2015 01:29:42 +0300
From:	Alexey Dobriyan <adobriyan@...il.com>
To:	Cyrill Gorcunov <gorcunov@...il.com>
Cc:	akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
	jarod@...hat.com, jstancek@...hat.com
Subject: Re: [PATCH 2/2] proc: fix PAGE_SIZE limit of /proc/$PID/cmdline

On Thu, May 28, 2015 at 01:14:35AM +0300, Cyrill Gorcunov wrote:
> On Thu, May 28, 2015 at 12:49:53AM +0300, Alexey Dobriyan wrote:
> ...
> > -static int proc_pid_cmdline(struct seq_file *m, struct pid_namespace *ns,
> > -			    struct pid *pid, struct task_struct *task)
> > +static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
> > +				     size_t _count, loff_t *pos)
> >  {
> > +	struct task_struct *tsk;
> > +	struct mm_struct *mm;
> > +	char *page;
> > +	unsigned long count = _count;
> > +	unsigned long arg_start, arg_end, env_start, env_end;
> > +	unsigned long len1, len2, len;
> > +	unsigned long p;
> > +	char c;
> > +	ssize_t rv;
> > +
> > +	BUG_ON(*pos < 0);
> > +
> > +	tsk = get_proc_task(file_inode(file));
> > +	if (!tsk)
> > +		return -ESRCH;
> > +	mm = get_task_mm(tsk);
> > +	put_task_struct(tsk);
> > +	if (!mm)
> > +		return 0;
> > +	/* Check if process spawned far enough to have cmdline. */
> > +	if (!mm->env_end) {
> > +		rv = 0;
> > +		goto out_mmput;
> > +	}
> > +
> > +	page = (char *)__get_free_page(GFP_TEMPORARY);
> > +	if (!page) {
> > +		rv = -ENOMEM;
> > +		goto out_mmput;
> > +	}
> > +
> > +	down_read(&mm->mmap_sem);
> > +	arg_start = mm->arg_start;
> > +	arg_end = mm->arg_end;
> > +	env_start = mm->env_start;
> > +	env_end = mm->env_end;
> > +	up_read(&mm->mmap_sem);
> 
> Could you please explain why this down/up is needed?

Code is written this way to get constistent snapshot of data.
If you look at PR_SET_MM_* code, you'll notice down_read(&mm->mmap_sem)
as well which is a separate bug because you're _writing_ those fields
eventually in prctl_set_mm(), yuck!
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ