[PATCH] 2.4: Fix steal_locks race

From: Herbert Xu
Date: Fri Aug 08 2003 - 05:58:17 EST

Next message: Alan Cox: "Re: ide-tape broken (was Re: [PATCH] use ide-identify.h, fixendian bug)"
Previous message: Maciej Soltysiak: "Re: [OT] Re: Euro-English"
Next in thread: Herbert Xu: "Re: [PATCH] 2.4: Fix steal_locks race"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi:

The steal_locks() call in binfmt_elf.c is buggy. It steals locks from
a files entry whose reference was dropped much earlier. This allows it
to steal other process's locks.

The following patch calls steal_locks() earlier so that this does not
happen.

Cheers,
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--- kernel-source-2.4/fs/binfmt_elf.c.orig 2003-08-08 20:46:56.000000000 +1000
+++ kernel-source-2.4/fs/binfmt_elf.c 2003-08-08 20:47:05.000000000 +1000
@@ -480,6 +480,7 @@
files = current->files; /* Refcounted so ok */
if(unshare_files() < 0)
goto out_free_ph;
+ steal_locks(files, current->files);

/* exec will make our files private anyway, but for the a.out
loader stuff we need to do it earlier */
@@ -797,7 +798,6 @@
if (current->ptrace & PT_PTRACED)
send_sig(SIGTRAP, current, 0);
retval = 0;
- steal_locks(files, current->files);
out:
return retval;

@@ -813,6 +813,7 @@
out_free_fh:
ftmp = current->files;
current->files = files;
+ steal_locks(ftmp, current->files);
put_files_struct(ftmp);
out_free_ph:
kfree(elf_phdata);

Next message: Alan Cox: "Re: ide-tape broken (was Re: [PATCH] use ide-identify.h, fixendian bug)"
Previous message: Maciej Soltysiak: "Re: [OT] Re: Euro-English"
Next in thread: Herbert Xu: "Re: [PATCH] 2.4: Fix steal_locks race"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]