new^H^H^Himproved devfs races

Alexander Viro (
Thu, 27 Sep 2001 20:52:51 -0400 (EDT)

Richard, your symlink-related race fixes do not fix anything.

Enter devfs_readlink()
Let it sleep in copy_to_user()
Have symlink unregistered
->registered is 0, ->refcount is 1, ->linkname points to link body
Have symlink registered again (module had been unloaded, now attacker
causes its reload)
->registered is checked. Looks OK.
->refcount is set to 1.
->linkname is set to _new_ link body
copy_to_user() wakes up and finishes.
devfs_readlink() decrements ->refcount to 0.
devfs_readlink() does kfree() on ->linkname (new one)
We are left with registered entry with zero refcount and linkname
pointing nowhere.

Same scenario applies to other places of that kind.

