Re: Q about pagecache data never written to disk

From: Nick Piggin
Date: Thu Sep 09 2004 - 08:32:47 EST

Next message: Anil Kumar Prasad: "unexported tlb_flush_* routines in 2.6 on ppc64"
Previous message: Ian Campbell: "Re: GPL source code for Smart USB 56 modem (includes ALSA AC97 patch)"
In reply to: Pavel Machek: "Re: Q about pagecache data never written to disk"
Next in thread: Pavel Machek: "Re: Q about pagecache data never written to disk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pavel Machek wrote:

No, read() will see the modified pagecache data immediately, apart from CPU
cache coherency effects.

Is not this quite a big security hole?

cat evil_data > /tmp/sign.me [Okay, evil_data probably have to
contain lot of zeroes?]
sync, fill disk or wait for someone to fill disk completely

attempt to write good_data to /tmp/sign.me using mmap

"Hey, root, see what /tmp/sign.me contains, can you make it suid?"

root reads /tmp/sign.me, and sees it is good.

root does chown root.root /tmp/sign.me; chmod 4755 /tmp/sign.me

kernel realizes that there's not enough disk space, and discard
changes, therefore /tmp/sign.me reverts to previous, evil, content.

root would have to make that change while user has the file open,
and should welcome the subsequent unleashing of evil content as a
valuable lesson.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Anil Kumar Prasad: "unexported tlb_flush_* routines in 2.6 on ppc64"
Previous message: Ian Campbell: "Re: GPL source code for Smart USB 56 modem (includes ALSA AC97 patch)"
In reply to: Pavel Machek: "Re: Q about pagecache data never written to disk"
Next in thread: Pavel Machek: "Re: Q about pagecache data never written to disk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]