On Mon, Oct 08, 2012 at 11:09:49AM -0400, Dave Jones wrote: > Last month I sent in 80de7c3138ee9fd86a98696fd2cf7ad89b995d0a to remove > a user triggerable BUG in mempolicy. > > Ben Hutchings pointed out to me that my change introduced a potential leak > of stack contents to userspace, because none of the callers check the return value. > > This patch adds the missing return checking, and also clears the buffer beforehand. > > Reported-by: Ben Hutchings <bhutchings@xxxxxxxxxxxxxx> > Cc: stable@xxxxxxxxxx > Signed-off-by: Dave Jones <davej@xxxxxxxxxx> > > --- > unanswered question: why are the buffer sizes here different ? which is correct? A further unanswered question is how the state got so screwed up that we hit that default case at all. Looking at the original report: https://lkml.org/lkml/2012/9/6/356 What's in RAX looks suspiciously like left-over slab poison. If pol->mode was poisoned, that smells like we have a race where policy is getting freed while another process is reading it. Am I missing something, or is there no locking around that at all ? Dave -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>