| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130714093619.GH4165@ZenIV.linux.org.uk>
Date: Sun, 14 Jul 2013 10:36:19 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Patrick McHardy <kaber@...sh.net>
Cc: netdev@...r.kernel.org
Subject: buggy check in netlink_mmap_sendmsg()
This
/* Netlink messages are validated by the receiver before processing.
* In order to avoid userspace changing the contents of the message
* after validation, the socket and the ring may only be used by a
* single process, otherwise we fall back to copying.
*/
if (atomic_long_read(&sk->sk_socket->file->f_count) > 2 ||
atomic_read(&nlk->mapped) > 1)
excl = false;
looks very odd. For one thing, descriptor table may be shared, with
one thread calling sendmsg() (which gives f_count equal to 2), while
another calls mmap() just as the first one gets past that check.
Moreover, we might very well have the damn thing mmapped, then clone(2)
creating another thread that shares address space, but not the descriptor
table. Child closes the socket descriptor it got, then parent does
sendmsg(2) (f_count == 2, again, since this time descriptor table isn't
shared and sendmsg(2) doesn't grab a reference and we have 1 from descriptor
table and 1 from mapping). Again, the child has it mapped and can play
with it as it wishes...
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists