Re: [PATCH] sched: fix a potential double-fetch bug in sched_copy_attr

From: Peter Zijlstra
Date: Mon Jan 07 2019 - 12:11:09 EST

Next message: Dave Hansen: "Re: [RFC PATCH 2/4] x86/setup: parse acpi to get hotplug info before init_mem_mapping()"
Previous message: David Miller: "Re: [PATCH 1/1] net: bridge: fix a bug on using a neighbour cache entry without checking its state"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 25, 2018 at 04:16:47PM -0600, Kangjie Lu wrote:
> "uattr->size" is copied in from user space and checked. However, it is
> copied in again after the security check. A malicious user may race to
> change it. The fix checks if uattr->size is ever changed after the
> check.
>
> Signed-off-by: Kangjie Lu <kjlu@xxxxxxx>
> ---

> + /* Sanity check if size was changed in user space */
> + if (attr->size != size)
> + return -EINVAL;
> +

What perf_copy_attr() does (from whence we copied this code) is:

attr->size = size;

Would that not also fix things?

Next message: Dave Hansen: "Re: [RFC PATCH 2/4] x86/setup: parse acpi to get hotplug info before init_mem_mapping()"
Previous message: David Miller: "Re: [PATCH 1/1] net: bridge: fix a bug on using a neighbour cache entry without checking its state"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]