Roland McGrath wrote: >> I found it extremely difficult to trigger the race condition without the >> articifial test - arch_ptrace_stop() only sleeps if the user page is not >> present, but in the common case the register stack backing store will >> have been quite recently accessed by the process. > > It is supposed to be a rare race, after all. :-) We're just being thorough > to cover it, not that it ever actually happened in practice or was expected to. > >> It should be possible to create a large file, flush the page cache, put >> the RSE into lazy mode, flush it and map the register stack from that >> file, so that no memory accesses to the backing store are done before >> ptrace_stop(), but for the time being I placed an msleep(100) after >> arch_ptrace_stop(). > > And then make the file so mapped be from a broken NFS or FUSE or somesuch > mount that actually blocks forever on the fault. That would be the > probable style of a DoS attack exploiting this to create unkillable processes. That's exactly what I did. FUSE doesn't implement mmap (guess why), but I was able to trigger the race even with a working NFS after tweaking the timing a bit. I'm attaching the test case I used (the NFS volume was mounted on /nfs). Regards, Petr Tesarik
Attachment:
sigkill-race.tar.gz
Description: application/gzip
|