Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752897AbcD2GC0 (ORCPT ); Fri, 29 Apr 2016 02:02:26 -0400 Received: from mail-yw0-f196.google.com ([209.85.161.196]:36707 "EHLO mail-yw0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752416AbcD2GCZ (ORCPT ); Fri, 29 Apr 2016 02:02:25 -0400 MIME-Version: 1.0 In-Reply-To: <20160428143058.0c12162dbc11461144cfa57f@linux-foundation.org> References: <1461870258-17970-1-git-send-email-minipli@googlemail.com> <20160428143058.0c12162dbc11461144cfa57f@linux-foundation.org> Date: Fri, 29 Apr 2016 08:02:24 +0200 Message-ID: Subject: Re: [PATCH] proc: prevent accessing /proc//environ until it's ready From: Mathias Krause To: Andrew Morton Cc: "linux-kernel@vger.kernel.org" , Emese Revfy , Pax Team , Al Viro , Mateusz Guzik , Alexey Dobriyan , Cyrill Gorcunov , Jarod Wilson Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1335 Lines: 28 On 28 April 2016 at 23:30, Andrew Morton wrote: > On Thu, 28 Apr 2016 21:04:18 +0200 Mathias Krause wrote: > >> If /proc//environ gets read before the envp[] array is fully set >> up in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying >> to read more bytes than are actually written, as env_start will already >> be set but env_end will still be zero, making the range calculation >> underflow, allowing to read beyond the end of what has been written. >> >> Fix this as it is done for /proc//cmdline by testing env_end for >> zero. It is, apparently, intentionally set last in create_*_tables(). > > Also, if this is indeed our design then > > a) the various create_*_tables() should have comments in there which > explain this subtlety to the reader. Or, better, they use a common > helper function for this readiness-signaling operation because.. > > b) we'll need some barriers there to ensure that the environ_read() > caller sees the create_*_tables() writes in the correct order. I totally agree that this kind of "synchronization" is rather fragile. Adding comments won't help much, I fear. Rather a dedicated flag, signaling "process ready for inspection" may be needed. So far, that's what env_end is (ab-)used for. Regards, Mathias