lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 29 Nov 2017 15:23:42 -0800
From:   Andrei Vagin <avagin@...tuozzo.com>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     Alexey Dobriyan <adobriyan@...il.com>,
        linux-kernel@...r.kernel.org, xemul@...tuozzo.com
Subject: Re: proc: fix /proc/*/map_files lookup

On Wed, Nov 29, 2017 at 02:56:03PM -0800, Andrew Morton wrote:
> On Mon, 27 Nov 2017 21:29:25 -0800 Andrei Vagin <avagin@...tuozzo.com> wrote:
> 
> > On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote:
> > > Current code does:
> > > 
> > > 	if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)
> > > 
> > > However sscanf() is broken garbage.
> > > 
> > > It silently accepts whitespace between format specifiers
> > > (did you know that?).
> > > 
> > > It silently accepts valid strings which result in integer overflow.
> > > 
> > > Do not use sscanf() for any even remotely reliable parsing code.
> > 
> > This patch breaks criu, criu has one places where a file name is generated
> > as map_files/%p-%p
> > 
> > openat(1048572, "map_files/0x7f9912dd5000-0x7f9912de4000", O_RDWR) = -1 ENOENT (No such file or directory) <0.000015>
> > 
> > And this code worked before this patch and it doesn't work with this
> > patch. And you have to know that we never break user-space programs ;)
> > 
> > But seriously, the patch looks good to me, but I would prefer to not queue
> > it into stable kernels.
> 
> The patch breaks CRIU but you're OK with merging it?  How does that work ;)

It was a bug in criu. And this bug is on a minor path, which works when
memfd_create() isn't available. It is a reason why I ask to not
backport this patch to stable kernels.

In CRIU this bug can be triggered, only if this patch will be backported
to a kernel which version is lower than v3.16.

> 
> Now I'm worried that it will break other things.

I think a chance is very small. All programs should use names which
listed in /proc/PID/map_files/.

Powered by blists - more mailing lists