|| ||Linus Torvalds <torvalds-AT-osdl.org>|
|| ||Re: mremap() bug IMHO not in 2.2|
|| ||Mon, 5 Jan 2004 16:08:36 -0800 (PST)|
On Mon, 5 Jan 2004 Valdis.Kletnieks@vt.edu wrote:
> On Mon, 05 Jan 2004 15:36:41 PST, Linus Torvalds said:
> > So yes, it creates some confusion in the VM layer, but it all seems
> > benign. It's clearly a bug, but where does the security problem come in?
> Just guessing, but would a zero-length vma be rounded up to a page, and
> thus give the attacker scribble permission on a page he shouldn't have had?
Almost certainly not.
It's more likely that one of the two functions that walk through _all_ the
vma's (fork() and exit()) simply knows that a vma can never be
zero-length, and uses a
addr = vma->vm_start;
addr += PAGE_SIZE;
} while (addr < vma->vm_end);
kind of loop - which means that either fork() or exit() would copy or
release one page too many.
The only page that should matter is likely the one at 0xC0000000, where
there can be extra complications from the fact that we use 4MB pages for
the kernel, so when fork/exit tries to walk the page table, it would get
Still, I'd expect that to lead to a triple fault (and thus a reboot)
rather than any elevation of privileges..
Interesting, in any case. Good catch from whoever found it.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
to post comments)