svn commit: r265327 - in user/dchagin/lemul/sys: amd64/linux amd64/linux32 compat/linux conf i386/linux modules/linux modules/linux64
Mateusz Guzik
mjguzik at gmail.com
Mon May 5 20:51:45 UTC 2014
On Tue, May 06, 2014 at 12:25:33AM +0400, Chagin Dmitry wrote:
> On Mon, May 05, 2014 at 05:32:18PM +0200, Mateusz Guzik wrote:
> > On Mon, May 05, 2014 at 09:02:04AM +0400, Chagin Dmitry wrote:
> > > On Sun, May 04, 2014 at 08:07:49PM +0200, Mateusz Guzik wrote:
> > > > switch (args->op) {
> > > > case LINUX_EPOLL_CTL_MOD:
> > > > /*
> > > > * We don't memorize which events were set for this FD
> > > > * on this level, so just delete all we could have set:
> > > > * EVFILT_READ and EVFILT_WRITE, ignoring any errors
> > > > */
> > > > error = epoll_delete_all_events(td, epfp, args->fd);
> > > >
> > > > Again a lookup.
> > > >
> > > > Whether this particular problem could be used to do something nasty I don't
> > > > know, but playing like this is asking for trouble.
> > > >
> > > > The only solution I see is to modify kqueue functions to accept fps.
> > > >
> > >
> > > reason? to prevent extra fget? or something else?
> > >
> >
> > Having multpiple lookups for the same fd number may lead to different
> > fps, which may or may not be used to cause inconsistencies which in turn
> > may or may not be exploitable to either crash the kernel or escalate
> > privileges.
> >
> > That said, the concern is that a malicious user could try to work
> > something out from this.
> >
>
> Hi, may be enough to keep file ref?
>
Yeah, just fget what you need and only pass fp around. Note to check
that fp->f_type == DTYPE_KQUEUE.
So just change kern_kevent to grab fp instead of fd and assert proper
fp->f_type.
Similarly for other functions grabbing fd instead of fp (if any).
--
Mateusz Guzik <mjguzik gmail.com>
More information about the svn-src-user
mailing list