new^H^H^Himproved devfs races

Alexander Viro (viro@math.psu.edu)
Thu, 27 Sep 2001 20:52:51 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tsunehiko Baba: "[REPORT] (PPC) Compile Error (Linux 2.4.9-ac[12-16])"
Previous message: Alan Cox: "Re: CPU frequency shifting "problems""

Richard, your symlink-related race fixes do not fix anything.

Enter devfs_readlink()
Let it sleep in copy_to_user()
Have symlink unregistered
->registered is 0, ->refcount is 1, ->linkname points to link body
Have symlink registered again (module had been unloaded, now attacker
causes its reload)
->registered is checked. Looks OK.
->refcount is set to 1.
->linkname is set to _new_ link body
copy_to_user() wakes up and finishes.
devfs_readlink() decrements ->refcount to 0.
devfs_readlink() does kfree() on ->linkname (new one)
We are left with registered entry with zero refcount and linkname
pointing nowhere.

Same scenario applies to other places of that kind.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tsunehiko Baba: "[REPORT] (PPC) Compile Error (Linux 2.4.9-ac[12-16])"
Previous message: Alan Cox: "Re: CPU frequency shifting "problems""