Re: [Patch]: write_kmem above high_memory

Andi Kleen (ak@muc.de)
Tue, 4 Jan 2000 15:20:48 +0100

On Tue, Jan 04, 2000 at 01:35:54PM +0100, Manfred Spraul wrote:
> Andi Kleen wrote:
> >
> > tigran@sco.COM (Tigran Aivazian) writes:
> >
> > > Hi,
> > >
> > > Your patch looks fine but you realize, of course, that both your vwrite()
> > > and the old vread() walk through vmlist without any locking so results can
> > > be not only incosistent but disastrous (on SMP if list is modified at teh
> > > same time).
> >
> > The more elegant way would be probably to remove all checks in these
> > functions, and instead protect the read/writes with a exception table
> > entry similar to copy_from/to_user. Only drawback is that it needs
> > per architecture support.
> >
>
> set_fs(KERNEL_DS) + get_user()/__get_user()?

Could work, yes.

>
> BUT: that's dangerous, because we might read from the mmap'ed io space
> of a hardware device.

And? There are thousands of ways to crash the machine when you have write access
to /dev/mmap, and when you have read access there are so many security
holes that DoS capacibility is only a small step. Unix generally does not
prevent root from shooting into his own foot.

>
> The current show_registers() [arch/i386/kernel/traps.c] code has the
> same problem: on SMP, it causes a hard lock-up if the EIP value got
> corrupted.

You do not even need SMP.

I was recently fighting with that. The stack pointer was corrupted,
leading to invalid current, leading to invalid page table, leading to
recursive oops when it tries to dump the bogus page table (but without the
registers, because the pte access is in front of show_registers) It would
be a good addition IMHO.

-Andi

-- 
This is like TV. I don't like TV.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/