On Mon, 28 Jan 2019, Peter Zijlstra wrote: > On Sun, Jan 27, 2019 at 12:04:44PM +0100, Thomas Gleixner wrote: > > On Mon, 21 Jan 2019, tip-bot for Kangjie Lu wrote: > > > diff --git a/kernel/sched/core.c b/kernel/sched/core.c > > > index a674c7db2f29..d4d3514c4fe9 100644 > > > --- a/kernel/sched/core.c > > > +++ b/kernel/sched/core.c > > > @@ -4499,6 +4499,9 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a > > > if (ret) > > > return -EFAULT; > > > > > > + /* In case attr->size was changed by user-space: */ > > > + attr->size = size; > > > + > > > > Just when pondering to send that to Linus, I tried to write up a concise > > summary for this which made me look at the patch. > > > > If the size changed, then its clear that user space fiddled with the date > > between the size fetch and the full copy from user. So why restoring the > > size instead of doing the obvious: > > > > if (attr->size != size) > > return -ECRAP; > > > > Hmm? > > Sure; but if we do that we should also change perf_copy_attr() which has > the exact same thing. Yes please. The point is that by default the data passed to a function (and it does not matter whether it's a syscall) by pointer is immutable. There is exactly ONE syscall which is specifically designed to deal with mutable data and that's a constant source of headache .... Kangjie is right that all double fetch operations like the one in sched_copy_attr() are prone to concurrent modification problems. But then we really should say NO instead of silently trying to fix things up. I personally would even kill the process immediately, no matter whether the corruption is caused by malicious intent or by sheer stupidity. Thanks, tglx
