[PATCH] 2.4: PPC64: 32 bit sys_recvmsg corruption
Andi Kleen
ak at suse.de
Wed Feb 16 11:28:41 EST 2005
On Wed, Feb 16, 2005 at 11:11:46AM +1100, Stephen Rothwell wrote:
> Hi Marcello,
>
> In the presence of threads, there is a possibility of the kernel being
> fooled by the 32 bit sys_recvmsg control data into copying more than it
> should into the kernel and corrupting kernel data structures.
>
> We call the 64 bit version of sys_recvmsg which writes control messages
> directly to user memory which we then read back and "fix up" for the
> differences between 32 and 64 bit structures. If two threads share the
> buffer that we are writing into (and then reading from) it is possible for
> the control message headers to be changed from what we expect. One of the
> header fields is the length we need to copy back into the kernel ...
>
> This patch just does some more length checking.
>
> This bug was actually being hit by BIND running at a customer site. It is
> very hard to hit, but (obviously) possible.
Did you check if other 32bit emulations don't have the same problem?
-Andi
More information about the Linuxppc64-dev
mailing list