Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak

From: Cyrill Gorcunov
Date: Mon Mar 15 2021 - 08:56:01 EST

Next message: Borislav Petkov: "[PATCH 1/2] tools/x86/kcpuid: Check last token too"
Previous message: Matthew Wilcox: "Re: [PATCH 2/3] vfs: Use the mounts_to_id array to do /proc/mounts and co."
In reply to: Oleg Nesterov: "Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak"
Next in thread: Oleg Nesterov: "Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 15, 2021 at 01:08:03PM +0100, Oleg Nesterov wrote:
> On 03/14, Alexey Dobriyan wrote:
> >
> > prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1);
> >
> > will copy 1 byte from userspace to (quite big) on-stack array
> > and then stash everything to mm->saved_auxv.
>
> I too don't understand, memcpy(mm->saved_auxv, user_auxv, len) will
> copy 1 byte...

Indeed. I overlooked that we pass @len when copying. I should
not reply at night :(

>
> And why task_lock(current) ? What does it try to protect?

As far as I remember this was related to reading from procfs
at time the patch was written for first time. Looks like this
not relevant anymore and could be dropped.

Next message: Borislav Petkov: "[PATCH 1/2] tools/x86/kcpuid: Check last token too"
Previous message: Matthew Wilcox: "Re: [PATCH 2/3] vfs: Use the mounts_to_id array to do /proc/mounts and co."
In reply to: Oleg Nesterov: "Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak"
Next in thread: Oleg Nesterov: "Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]