Re: [PATCH] ptrace: use safer wake up on ptrace_detach()

From: Andrew Morton
Date: Wed Feb 02 2011 - 14:34:20 EST

Next message: jacob pan: "Re: [RFC PATCH 2/2] cgroup/freezer: add per freezer duty ratiocontrol"
Previous message: Mathieu Desnoyers: "Re: [PATCH 2/2] Tracepoints: Fix section alignment using pointerarray"
In reply to: Tejun Heo: "Re: [PATCH] ptrace: use safer wake up on ptrace_detach()"
Next in thread: Tejun Heo: "Re: [PATCH] ptrace: use safer wake up on ptrace_detach()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2 Feb 2011 11:34:02 +0100
Tejun Heo <tj@xxxxxxxxxx> wrote:

> Hello,
>
> On Tue, Feb 01, 2011 at 09:38:28PM -0800, Andrew Morton wrote:
> > On Tue, 1 Feb 2011 21:33:31 -0800 (PST) Roland McGrath <roland@xxxxxxxxxx> wrote:
> >
> > > > Am unable to work out why you tagged it for backporting. It fixes some
> > > > observed bug? Perhaps a regression?
> > >
> > > No observed bug, only theoretical ones (AFAIK, never even a ginned-up
> > > synthetic test case has been demonstrated). Certainly not a regression,
> > > since it has been this (wrong) way since the dawn of time. I don't think
> > > this first change is dangerous for -stable, but I have seen no positive
> > > rationale for pushing it there.
> > >
> >
> > OK, thanks. I shall destabilize my copy of this patch.
>
> It can be used as an attack vector. I don't think it will take too
> much effort to come up with an attack which triggers oops somewhere.
> Most sleeps are wrapped in condition test loops and should be safe but
> we have quite a number of places where sleep and wakeup conditions are
> expected to be interlocked. Although the window of opportunity is
> tiny, ptrace can be used by non-privileged users and with some loading
> the window can definitely be extended and exploited.
>
> The chance of this problem being visible under normal usage is
> extremely low so no wonder there is no related bug report but that is
> very different from being safe against targeted attacks.
>
> As the likelihood of causing user noticeable breakage is very low, I
> think we better push it through -stable.
>

We're learning some lessons about changelogging here :(

I added this:

: This bug can possibly be used as an attack vector. I don't think
: it will take too much effort to come up with an attack which triggers
: oops somewhere. Most sleeps are wrapped in condition test loops and
: should be safe but we have quite a number of places where sleep and
: wakeup conditions are expected to be interlocked. Although the
: window of opportunity is tiny, ptrace can be used by non-privileged
: users and with some loading the window can definitely be extended and
: exploited.

to the changelog so the -stable maintainers can understand why we're
sending this patch at them.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: jacob pan: "Re: [RFC PATCH 2/2] cgroup/freezer: add per freezer duty ratiocontrol"
Previous message: Mathieu Desnoyers: "Re: [PATCH 2/2] Tracepoints: Fix section alignment using pointerarray"
In reply to: Tejun Heo: "Re: [PATCH] ptrace: use safer wake up on ptrace_detach()"
Next in thread: Tejun Heo: "Re: [PATCH] ptrace: use safer wake up on ptrace_detach()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]