Security critical race condition in epoll code

John Gardiner Myers (jgmyers@netscape.com)
Mon, 28 Oct 2002 17:47:27 -0800


There appears to be a race condition in the epoll patch which permits
user space to scribble in the kernel's free memory.

First a user space program creates an epoll fd and adds a socket to it
using sys_epoll_ctl(...EP_CTL_ADD...)

Then the program creates two threads, A and B. Simultaneously, A calls
sys_epoll_ctl(...EP_CTL_MOD...) and B calls
sys_epoll_ctl(...EP_CTL_DEL...) on the socket that was previously added.

Thread A runs up through the point where ep_find() returns the (struct
epitem *) for the socket.

Thread B then runs and ep_remove() frees the (struct epitem *).

Thread A then runs some more and stores the value of events into the now
freed block of memory pointed to by dpi.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/