On 12 Dec 2013 at 22:41, Rik van Riel wrote:
> If the vma has been freed by the time the code jumps to the
> out label (because it was freed by a function called from
> mmap_region), surely it will also already have been freed
> by the time this patch dereferences it?
oops, yes, i meant to save t
On Thu, Dec 12, 2013 at 10:41:18PM -0500, Rik van Riel wrote:
>
> If the vma has been freed by the time the code jumps to the
> out label (because it was freed by a function called from
> mmap_region), surely it will also already have been freed
> by the time this patch dereferences it?
>
> Also,
, surely it will also already have been freed
by the time this patch dereferences it?
Also, setting vma = NULL to avoid the if (vma) branch at
the out: label is unnecessarily obfuscated. Lets make things
clear by documenting what is going on, and having a label
after that dereference.
Maybe something
From: PaX Team
http://lkml.org/lkml/2013/9/17/30
SyS_remap_file_pages() calls mmap_region(), which calls remove_vma_list(),
which calls remove_vma(), which frees the vma. Later (after out label)
SyS_remap_file_pages() accesses the freed vma in vm_flags = vma->vm_flags.
Reported-by: Dmitry Vyuk
4 matches
Mail list logo
