On Wed, 2007-05-16 at 22:56 -0600, sk b wrote:
> Hello,
>
> I'm wondering whether there is an exploitable TOCTTOU race condition in the
> way user pointers are handled in the kernel. Consider the following code:
>
> 1: struct st { int *u; };
> 2: void syscall(struct st * stp) {
> 3: if (!access_ok(VERIFY_READ,stp,sizeof(struct st)))
> 4: return;
> 5: if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))
> 6: return;
this line is invalid; you are not allowed to dereference userspace
memory directly. You need to call copy_from_user() on stp first, and
then use the copy.
> 7: foo(); //user app writes a kernel address to stp->u
> 8: *(stp->u) = 0;
> 9:}
>
> Suppose syscall is some system call and, thus, stp and stp->u are user
> pointers. The function checks the stp and stp->u pointers using the access_ok
> macro on lines 3 and 5. Also suppose that the call to foo on line 7 takes a
> non-trivial amount of time to execute. During the time it takes foo to
> execute, the user application writes a kernel address to stp->u. Note that
> this write occurs after the check on line 5. Then, on line 8, the kernel
> writes to stp->u which contains a kernel address. So, the user application
> could force the kernel to overwrite itself. Is it possible to exploit this
> race condition? If so, does Sparse check for this?
>
> -SKB
> _________________________________________________________________
> Download Messenger. Start an i’m conversation. Support a cause. Join now.
> http://im.live.com/messenger/im/home/?source=TAGWL_MAY07-
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
if you want to mail me at work (you don't), use arjan (at) linux.intel.com
Test the interaction between Linux and your BIOS via
http://www.linuxfirmwarekit.org
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
