Re: mremap() bug IMHO not in 2.2

On Mon, 5 Jan 2004 Valdis.Kletnieks@vt.edu wrote:
>
> On Mon, 05 Jan 2004 15:36:41 PST, Linus Torvalds said:
> 
> > So yes, it creates some confusion in the VM layer, but it all seems 
> > benign. It's clearly a bug, but where does the security problem come in?
> 
> Just guessing, but would a zero-length vma be rounded up to a page, and
> thus give the attacker scribble permission on a page he shouldn't have had?

Almost certainly not.

It's more likely that one of the two functions that walk through _all_ the 
vma's (fork() and exit()) simply knows that a vma can never be 
zero-length, and uses a

	addr = vma->vm_start;
	do {
		...
		addr += PAGE_SIZE;
	} while (addr < vma->vm_end);

kind of loop - which means that either fork() or exit() would copy or 
release one page too many. 

The only page that should matter is likely the one at 0xC0000000, where 
there can be extra complications from the fact that we use 4MB pages for 
the kernel, so when fork/exit tries to walk the page table, it would get 
bogus results.

Still, I'd expect that to lead to a triple fault (and thus a reboot) 
rather than any elevation of privileges..

Interesting, in any case. Good catch from whoever found it.

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/