There appears to be a race condition in the epoll patch which permits
user space to scribble in the kernel's free memory.
First a user space program creates an epoll fd and adds a socket to it
using sys_epoll_ctl(...EP_CTL_ADD...)
Then the program creates two threads, A and B. Simultaneously, A calls
sys_epoll_ctl(...EP_CTL_MOD...) and B calls
sys_epoll_ctl(...EP_CTL_DEL...) on the socket that was previously added.
Thread A runs up through the point where ep_find() returns the (struct
epitem *) for the socket.
Thread B then runs and ep_remove() frees the (struct epitem *).
Thread A then runs some more and stores the value of events into the now
freed block of memory pointed to by dpi.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Oct 31 2002 - 22:00:40 EST