lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Sep 2017 08:53:35 -0400 From: Meng Xu <meng.xu@...ech.edu> To: Peter Zijlstra <peterz@...radead.org>, Meng Xu <mengxu.gatech@...il.com> Cc: mingo@...hat.com, linux-kernel@...r.kernel.org, sanidhya@...ech.edu, taesoo@...ech.edu Subject: Re: [PATCH] sched/core: Fix a potential double fetch bug on attr->size Hi Peter, I am sorry, I thought the patch is included in the forwarded email. I just resent the patch. Please check. Best Regards, Meng On 09/25/2017 03:31 AM, Peter Zijlstra wrote: > On Sat, Sep 23, 2017 at 10:05:56PM -0400, Meng Xu wrote: >> Hi Peter and Ingo, >> >> As a reminder, this is a very similar issue to perf_copy_attr (see following patch) >> https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f12f42acdbb577a12eecfcebbbec41c81505c4dc <https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f12f42acdbb577a12eecfcebbbec41c81505c4dc> >> >> Will it be fixed as well? > If someone were to actually send me the patch.. probably. > >>> On Aug 29, 2017, at 3:10 PM, Meng Xu <meng.xu@...ech.edu> wrote: >>> >>> From: Meng Xu <mengxu.gatech@...il.com> >>> >>> `attr->size` after the second fetch `copy_from_user(attr, uattr, size)`, >>> can be different from what is initially fetched in and checked >>> `get_user(size, &uattr->size)` by racing condition in the userspace. >>> >>> The issue and the patch are both similar to commit f12f42a >>> (in kernel/events/core.c). >>> >>> Signed-off-by: Meng Xu <mengxu.gatech@...il.com> >>> --- >>> kernel/sched/core.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/kernel/sched/core.c b/kernel/sched/core.c >>> index 0869b20..c22d2b4 100644 >>> --- a/kernel/sched/core.c >>> +++ b/kernel/sched/core.c >>> @@ -4349,6 +4349,8 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a >>> if (ret) >>> return -EFAULT; >>> >>> + attr->size = size; >>> + >>> /* >>> * XXX: Do we want to be lenient like existing syscalls; or do we want >>> * to be strict and return an error on out-of-bounds values? >>> -- >>> 2.7.4 >>>
Powered by blists - more mailing lists