Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S266026AbUAEXhj (ORCPT ); Mon, 5 Jan 2004 18:37:39 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S266020AbUAEXhh (ORCPT ); Mon, 5 Jan 2004 18:37:37 -0500 Received: from fw.osdl.org ([65.172.181.6]:59265 "EHLO mail.osdl.org") by vger.kernel.org with ESMTP id S266026AbUAEXhC (ORCPT ); Mon, 5 Jan 2004 18:37:02 -0500 Date: Mon, 5 Jan 2004 15:36:41 -0800 (PST) From: Linus Torvalds To: Petr Baudis cc: Diego Calleja , Robert.L.Harris@rdlg.net, vherva@niksula.hut.fi, ihaquer@isec.pl, cliph@isec.pl, linux-kernel@vger.kernel.org Subject: Re: mremap() bug IMHO not in 2.2 In-Reply-To: <20040105225508.GM2093@pasky.ji.cz> Message-ID: References: <20040105145421.GC2247@rdlg.net> <20040105181053.6560e1e3.grundig@teleline.es> <20040105182607.GB2093@pasky.ji.cz> <20040105225508.GM2093@pasky.ji.cz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 998 Lines: 24 On Mon, 5 Jan 2004, Petr Baudis wrote: > > Actually, after looking at the code again, I'm now quite convinced 2.2 > has not this particular vulnerability. In order for the exploit to work, > you'd need mremap() to relocate you. Can somebody tell me (in private) what the exploit is in the first place? The thing is, I can see the VM getting confused and creating a zero-sized vma, and I agree that it shouldn't do that. The fix is trivial. But I don't see where the claimed privilege escalation comes from. A zero-sized vma isn't ever going to be _useful_, since nothing will actually find it. So yes, it creates some confusion in the VM layer, but it all seems benign. It's clearly a bug, but where does the security problem come in? Linus - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/