On Wed, Jan 06, 2016 at 06:02:27AM +0100, Mateusz Guzik wrote: > An unprivileged user can trigger an oops on a kernel with > CONFIG_CHECKPOINT_RESTORE. > > proc_pid_cmdline_read takes mmap_sem for reading and obtains args + env > start/end values. These get sanity checked as follows: > BUG_ON(arg_start > arg_end); > BUG_ON(env_start > env_end); > > These can be changed by prctl_set_mm. Turns out also takes the semaphore for > reading, effectively rendering it useless. This results in: Thanks a lot for catching it! You know I tried to escape taking sem for writing as long as I could so another option might be simply zap these BUG_ON and rather exit with -EINVAL. On the other hands modification under read-lock of course is not correct in terms of "general approach" but these members are special so I took a risk. Anyway, Acked-by: Cyrill Gorcunov <gorcunov@xxxxxxxxxx> Thanks again. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>