So the probability of getting through in one try is about (tR+tH)/tH,
where tR is the average random delay, and tH is the time between the
check and the actual access.
If you keep on trying until you get through, you'll succeed on average
after tR^2/tH+tR.
If you make tR = 1 s (that's pretty long, e.g. if you do this to
unlink(2), a rm -rf of the kernel source tree would take about four
hours) and assume that tH is only one microsecond, the race condition
can still be exploited within typically less than one fortnight.
Since the system would be idle most of the time, such a brute-force
attack could easily go unnoticed, even if somebody cares to monitor
the system often enough.
Sounds like voodoo security to me.
- Werner
-- _________________________________________________________________________ / Werner Almesberger, Buenos Aires, Argentina wa@almesberger.net / /_http://www.almesberger.net/____________________________________________/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/