Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753445AbcD1V0Z (ORCPT ); Thu, 28 Apr 2016 17:26:25 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:47741 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751920AbcD1V0Y (ORCPT ); Thu, 28 Apr 2016 17:26:24 -0400 Date: Thu, 28 Apr 2016 14:26:22 -0700 From: Andrew Morton To: Mathias Krause Cc: linux-kernel@vger.kernel.org, Emese Revfy , Pax Team , Al Viro , Mateusz Guzik , Alexey Dobriyan , Cyrill Gorcunov , Jarod Wilson Subject: Re: [PATCH] proc: prevent accessing /proc//environ until it's ready Message-Id: <20160428142622.92fad67c88152341075e4294@linux-foundation.org> In-Reply-To: <1461870258-17970-1-git-send-email-minipli@googlemail.com> References: <1461870258-17970-1-git-send-email-minipli@googlemail.com> X-Mailer: Sylpheed 3.4.1 (GTK+ 2.24.23; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 922 Lines: 18 On Thu, 28 Apr 2016 21:04:18 +0200 Mathias Krause wrote: > If /proc//environ gets read before the envp[] array is fully set > up in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying > to read more bytes than are actually written, as env_start will already > be set but env_end will still be zero, making the range calculation > underflow, allowing to read beyond the end of what has been written. > > Fix this as it is done for /proc//cmdline by testing env_end for > zero. It is, apparently, intentionally set last in create_*_tables(). > > This bug was found by the PaX size_overflow plugin that detected the > arithmetic underflow of 'this_len = env_end - (env_start + src)' when > env_end is still zero. So what are the implications of this? From my reading, a craftily constructed application could occasionally read arbitrarily large amounts of kernel memory?