lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 25 Sep 2017 08:53:35 -0400
From:   Meng Xu <meng.xu@...ech.edu>
To:     Peter Zijlstra <peterz@...radead.org>,
        Meng Xu <mengxu.gatech@...il.com>
Cc:     mingo@...hat.com, linux-kernel@...r.kernel.org,
        sanidhya@...ech.edu, taesoo@...ech.edu
Subject: Re: [PATCH] sched/core: Fix a potential double fetch bug on
 attr->size

Hi Peter,

I am sorry, I thought the patch is included in the forwarded
email. I just resent the patch. Please check.

Best Regards,
Meng

On 09/25/2017 03:31 AM, Peter Zijlstra wrote:
> On Sat, Sep 23, 2017 at 10:05:56PM -0400, Meng Xu wrote:
>> Hi Peter and Ingo,
>>
>> As a reminder, this is a very similar issue to perf_copy_attr (see following patch)
>> https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f12f42acdbb577a12eecfcebbbec41c81505c4dc <https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f12f42acdbb577a12eecfcebbbec41c81505c4dc>
>>
>> Will it be fixed as well?
> If someone were to actually send me the patch.. probably.
>
>>> On Aug 29, 2017, at 3:10 PM, Meng Xu <meng.xu@...ech.edu> wrote:
>>>
>>> From: Meng Xu <mengxu.gatech@...il.com>
>>>
>>> `attr->size` after the second fetch `copy_from_user(attr, uattr, size)`,
>>> can be different from what is initially fetched in and checked
>>> `get_user(size, &uattr->size)` by racing condition in the userspace.
>>>
>>> The issue and the patch are both similar to commit f12f42a
>>> (in kernel/events/core.c).
>>>
>>> Signed-off-by: Meng Xu <mengxu.gatech@...il.com>
>>> ---
>>> kernel/sched/core.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/kernel/sched/core.c b/kernel/sched/core.c
>>> index 0869b20..c22d2b4 100644
>>> --- a/kernel/sched/core.c
>>> +++ b/kernel/sched/core.c
>>> @@ -4349,6 +4349,8 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a
>>> 	if (ret)
>>> 		return -EFAULT;
>>>
>>> +	attr->size = size;
>>> +
>>> 	/*
>>> 	 * XXX: Do we want to be lenient like existing syscalls; or do we want
>>> 	 * to be strict and return an error on out-of-bounds values?
>>> -- 
>>> 2.7.4
>>>

Powered by blists - more mailing lists