[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190107171101.GI14122@hirez.programming.kicks-ass.net>
Date: Mon, 7 Jan 2019 18:11:01 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Kangjie Lu <kjlu@....edu>
Cc: pakki001@....edu, Ingo Molnar <mingo@...hat.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] sched: fix a potential double-fetch bug in
sched_copy_attr
On Tue, Dec 25, 2018 at 04:16:47PM -0600, Kangjie Lu wrote:
> "uattr->size" is copied in from user space and checked. However, it is
> copied in again after the security check. A malicious user may race to
> change it. The fix checks if uattr->size is ever changed after the
> check.
>
> Signed-off-by: Kangjie Lu <kjlu@....edu>
> ---
> + /* Sanity check if size was changed in user space */
> + if (attr->size != size)
> + return -EINVAL;
> +
What perf_copy_attr() does (from whence we copied this code) is:
attr->size = size;
Would that not also fix things?
Powered by blists - more mailing lists