Re: file offset corruption on 32-bit machines?

From: Jiri Kosina
Date: Thu Apr 10 2008 - 10:31:20 EST

Next message: Michal Hocko: "Re: file offset corruption on 32-bit machines?"
Previous message: Jan Kara: "Re: file offset corruption on 32-bit machines?"
In reply to: Jan Kara: "Re: file offset corruption on 32-bit machines?"
Next in thread: Matthew Wilcox: "Re: file offset corruption on 32-bit machines?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 10 Apr 2008, Jan Kara wrote:

> > The f_pos races are in fact exploitable, we've already been there. See
> > for example http://www.isec.pl/vulnerabilities/isec-0016-procleaks.txt
> Well, this race is more subtle - the window is just one instruction
> wide (stores to f_pos from CPU2 must come between the store of lower and
> upper 32-bits of f_pos on CPU1). And the only result is that f_pos has
> 32-bits from one file pointer and 32-bits from the other one. So I can
> hardly imagine this would be exploitable...

Supposing you are not holding any spinlock and are running with
preemptible kernel (pretty common scenario nowadays), there is nothing
that would prevent kernel from rescheduling between the two instructions,
enlarging the race window to be more comfortable for attacker, right?

I think this is worth fixing.

--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michal Hocko: "Re: file offset corruption on 32-bit machines?"
Previous message: Jan Kara: "Re: file offset corruption on 32-bit machines?"
In reply to: Jan Kara: "Re: file offset corruption on 32-bit machines?"
Next in thread: Matthew Wilcox: "Re: file offset corruption on 32-bit machines?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]