On Thu, Apr 10, 2008 at 04:31:09PM +0200, Jiri Kosina wrote: > > Well, this race is more subtle - the window is just one instruction > > wide (stores to f_pos from CPU2 must come between the store of lower and > > upper 32-bits of f_pos on CPU1). And the only result is that f_pos has > > 32-bits from one file pointer and 32-bits from the other one. So I can > > hardly imagine this would be exploitable... > > Supposing you are not holding any spinlock and are running with > preemptible kernel (pretty common scenario nowadays), there is nothing > that would prevent kernel from rescheduling between the two instructions, > enlarging the race window to be more comfortable for attacker, right? > > I think this is worth fixing. Seems a lot like reading jiffies to me. Is the seqlock the right solution to use for fixing this? -- Intel are signing my paycheques ... these opinions are still mine "Bill, look, we understand that you're interested in selling us this operating system, but compare it to ours. We can't possibly take such a retrograde step." -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
