Message-ID: <BAY115-W33D3EC723171255D88FBF86330@phx.gbl>
From: sk b <skb300@hotmail.com>
To: <linux-kernel@vger.kernel.org>
Subject: user pointers and race conditions
Date: Wed, 16 May 2007 22:56:22 -0600
Importance: Normal
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1579
Lines: 25


Hello,

I'm wondering whether there is an exploitable TOCTTOU race condition in the way user pointers are handled in the kernel. Consider the following code:

1: struct st { int *u; };
2: void syscall(struct st * stp) {
3:        if (!access_ok(VERIFY_READ,stp,sizeof(struct st)))
4:                return;
5:        if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))
6:                return;
7:        foo();   //user app writes a kernel address to stp->u
8:        *(stp->u) = 0;
9:}

Suppose syscall is some system call and, thus, stp and stp->u are user pointers. The function checks the stp and stp->u pointers using the access_ok macro on lines 3 and 5. Also suppose that the call to foo on line 7  takes a non-trivial amount of time to execute. During the time it takes foo to execute, the user application writes a kernel address to stp->u. Note that this write occurs after the check on line 5. Then, on line 8, the kernel writes to stp->u which contains a kernel address. So, the user application could force the kernel to overwrite itself. Is it possible to exploit this race condition? If so, does Sparse check for this?

-SKB
_________________________________________________________________
Download Messenger. Start an i?m conversation. Support a cause. Join now.
http://im.live.com/messenger/im/home/?source=TAGWL_MAY07-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/