On Mon, 28 Jan 2019, Thomas Gleixner wrote: > On Mon, 28 Jan 2019, Peter Zijlstra wrote: > > On Sun, Jan 27, 2019 at 12:04:44PM +0100, Thomas Gleixner wrote: > > > On Mon, 21 Jan 2019, tip-bot for Kangjie Lu wrote: > > > > diff --git a/kernel/sched/core.c b/kernel/sched/core.c > > > > index a674c7db2f29..d4d3514c4fe9 100644 > > > > --- a/kernel/sched/core.c > > > > +++ b/kernel/sched/core.c > > > > @@ -4499,6 +4499,9 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a > > > > if (ret) > > > > return -EFAULT; > > > > > > > > + /* In case attr->size was changed by user-space: */ > > > > + attr->size = size; > > > > + > > > > > > Just when pondering to send that to Linus, I tried to write up a concise > > > summary for this which made me look at the patch. > > > > > > If the size changed, then its clear that user space fiddled with the date > > > between the size fetch and the full copy from user. So why restoring the > > > size instead of doing the obvious: > > > > > > if (attr->size != size) > > > return -ECRAP; > > > > > > Hmm? > > > > Sure; but if we do that we should also change perf_copy_attr() which has > > the exact same thing. > > Yes please. > > The point is that by default the data passed to a function (and it does not > matter whether it's a syscall) by pointer is immutable. There is exactly > ONE syscall which is specifically designed to deal with mutable data and > that's a constant source of headache .... > > Kangjie is right that all double fetch operations like the one in > sched_copy_attr() are prone to concurrent modification problems. But then > we really should say NO instead of silently trying to fix things up. I > personally would even kill the process immediately, no matter whether the > corruption is caused by malicious intent or by sheer stupidity. Just noticed that this fell through the cracks. Is anyone working on a fix for this? Thanks, tglx
