[PATCH 1/2] prctl: take mmap sem for writing to protect against others

From: Mateusz Guzik
Date: Wed Jan 06 2016 - 00:02:46 EST

Next message: Mateusz Guzik: "[PATCH 2/2] proc read mm's {arg,env}_{start,end} with mmap semaphore taken."
Previous message: Mateusz Guzik: "[PATCH 0/2] fix up {arg,env}_{start,end} vs prctl"
In reply to: Mateusz Guzik: "[PATCH 0/2] fix up {arg,env}_{start,end} vs prctl"
Next in thread: Anshuman Khandual: "Re: [PATCH 1/2] prctl: take mmap sem for writing to protect against others"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The code was taking the semaphore for reading, which does not protect
against readers nor concurrent modifications.

The problem could cause a sanity checks to fail in procfs's cmdline
reader, resulting in an OOPS.

Note that some functions perform an unlocked read of various mm fields,
but they seem to be fine despite possible modificaton.

Signed-off-by: Mateusz Guzik <mguzik@xxxxxxxxxx>
---
kernel/sys.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index 6af9212..78947de 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1853,11 +1853,13 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data
user_auxv[AT_VECTOR_SIZE - 1] = AT_NULL;
}

- if (prctl_map.exe_fd != (u32)-1)
+ if (prctl_map.exe_fd != (u32)-1) {
error = prctl_set_mm_exe_file(mm, prctl_map.exe_fd);
- down_read(&mm->mmap_sem);
- if (error)
- goto out;
+ if (error)
+ return error;
+ }
+
+ down_write(&mm->mmap_sem);

/*
* We don't validate if these members are pointing to
@@ -1894,10 +1896,8 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data
if (prctl_map.auxv_size)
memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));

- error = 0;
-out:
- up_read(&mm->mmap_sem);
- return error;
+ up_write(&mm->mmap_sem);
+ return 0;
}
#endif /* CONFIG_CHECKPOINT_RESTORE */

@@ -1963,7 +1963,7 @@ static int prctl_set_mm(int opt, unsigned long addr,

error = -EINVAL;

- down_read(&mm->mmap_sem);
+ down_write(&mm->mmap_sem);
vma = find_vma(mm, addr);

prctl_map.start_code = mm->start_code;
@@ -2056,7 +2056,7 @@ static int prctl_set_mm(int opt, unsigned long addr,

error = 0;
out:
- up_read(&mm->mmap_sem);
+ up_write(&mm->mmap_sem);
return error;
}

--
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mateusz Guzik: "[PATCH 2/2] proc read mm's {arg,env}_{start,end} with mmap semaphore taken."
Previous message: Mateusz Guzik: "[PATCH 0/2] fix up {arg,env}_{start,end} vs prctl"
In reply to: Mateusz Guzik: "[PATCH 0/2] fix up {arg,env}_{start,end} vs prctl"
Next in thread: Anshuman Khandual: "Re: [PATCH 1/2] prctl: take mmap sem for writing to protect against others"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]