[PATCH] 2.4: PPC64: 32 bit sys_recvmsg corruption

Andi Kleen ak at suse.de
Wed Feb 16 11:28:41 EST 2005

On Wed, Feb 16, 2005 at 11:11:46AM +1100, Stephen Rothwell wrote:
> Hi Marcello,
> In the presence of threads, there is a possibility of the kernel being
> fooled by the 32 bit sys_recvmsg control data into copying more than it
> should into the kernel and corrupting kernel data structures.
> We call the 64 bit version of sys_recvmsg which writes control messages
> directly to user memory which we then read back and "fix up" for the
> differences between 32 and 64 bit structures.  If two threads share the
> buffer that we are writing into (and then reading from) it is possible for
> the control message headers to be changed from what we expect.  One of the
> header fields is the length we need to copy back into the kernel ...
> This patch just does some more length checking.
> This bug was actually being hit by BIND running at a customer site.  It is
> very hard to hit, but (obviously) possible.

Did you check if other 32bit emulations don't have the same problem?


More information about the Linuxppc64-dev mailing list