Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753407Ab0HWQeR (ORCPT ); Mon, 23 Aug 2010 12:34:17 -0400 Received: from mail-yx0-f174.google.com ([209.85.213.174]:44555 "EHLO mail-yx0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752150Ab0HWQeO convert rfc822-to-8bit (ORCPT ); Mon, 23 Aug 2010 12:34:14 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=LzzQ/HnJc1WpmH4YKuQPuU+LnrWQdVHnbHTjNzALxGLgZzs6DBBGPGoCggKjkrKAsj I+lJue+Ihr8Wu/wd8R5XOcqnjafEYJfMRsEpJzIanJ9mYb5mZT+7IGQEHzOzU1xsZJrt adW/4YZD/vaU/9OlMhnbFy0sBczKQUzbZpDI8= MIME-Version: 1.0 In-Reply-To: <20100821160839.GA26375@merkur.ravnborg.org> References: <1282391770.29609.1223.camel@localhost.localdomain> <20100821160839.GA26375@merkur.ravnborg.org> Date: Mon, 23 Aug 2010 09:34:14 -0700 X-Google-Sender-Auth: hIf2F-99YBw8PNFc8eve5yOSJsk Message-ID: Subject: Re: [RFC] mlock/stack guard interaction fixup From: Tony Luck To: Sam Ravnborg Cc: Linus Torvalds , Ian Campbell , linux-kernel@vger.kernel.org, stable@kernel.org, stable-review@kernel.org, akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk, Greg KH , Peter Zijlstra , Jeremy Fitzhardinge Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1160 Lines: 25 On Sat, Aug 21, 2010 at 9:08 AM, Sam Ravnborg wrote: > Tony Luck already provided a VM_GROWSUP version. > > ? ?See: http://lkml.org/lkml/2010/8/20/325 > > [It is signed off by Tony Luc - but I guess they know each other ;-) ] Tony Luc spends too much time looking at the To: and Cc: to make sure that he spelled *other* peoples names correctly. That patch doesn't apply any more because of the latest change to look at vm_prev instead of calling find_vma() [N.B. the block comment above check_stack_guard_page() still talks about find_vma()]. I can fix up my patch ... but I have to wonder whether the new code doesn't leave a hole again. It assumes that any VM_GROWSDOWN object that is found below the current one is the result of the stack vma having been split. But couldn't an attacker have used MAP_GROWSDOWN when placing their sneaky stack smashing mapping just below the stack? -Tony -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/