ChangeSet 1.1539.1.1, 2005/02/03 13:17:21-02:00, [EMAIL PROTECTED] [PATCH] fix for memory corruption from /proc/kcore access A fairly nasty memory corruption potential exists when /proc/kcore is accessed and there are at least 62 vmalloc'd areas. The problem is that get_kcore_size() does not properly account for the elf_prstatus, elf_prpsinfo, and task_struct structure sizes in the fabricated ELF header, and then elf_kcore_store_hdr() and its associated calls to storenote() will possibly overrun the "elf_buf" buffer allocated by read_kcore(). Because the requested buffer size is rounded up to a page multiple, only certain ranges of counts of vmalloc'd areas will actually lead to a memory corruption. When it does happen, usually the end of the /proc/kcore reader's task_struct ends up being copied into a slab page (or sometimes into a data page) causing a kernel crash (or data corruption) at a later point in time. The 1st hunk of the patch below fixes this problem. The latter 3 hunks correct the "p_filesz" value for the note section (which is already initialized to 0 on line 232) as stored in the ELF header, but these hunks are not necessary to fix the corruption possiblity. The fix is already in 2.6.
kcore.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) diff -Nru a/fs/proc/kcore.c b/fs/proc/kcore.c --- a/fs/proc/kcore.c 2005-02-07 13:03:39 -08:00 +++ b/fs/proc/kcore.c 2005-02-07 13:03:39 -08:00 @@ -136,7 +136,10 @@ } *elf_buflen = sizeof(struct elfhdr) + (*num_vma + 2)*sizeof(struct elf_phdr) + - 3 * sizeof(struct memelfnote); + 3 * (sizeof(struct elf_note) + 4) + + sizeof(struct elf_prstatus) + + sizeof(struct elf_prpsinfo) + + sizeof(struct task_struct); *elf_buflen = PAGE_ALIGN(*elf_buflen); return (size - PAGE_OFFSET + *elf_buflen); } @@ -279,7 +282,7 @@ memset(&prstatus, 0, sizeof(struct elf_prstatus)); - nhdr->p_filesz = notesize(¬es[0]); + nhdr->p_filesz += notesize(¬es[0]); bufp = storenote(¬es[0], bufp); /* set up the process info */ @@ -296,7 +299,7 @@ strcpy(prpsinfo.pr_fname, "vmlinux"); strncpy(prpsinfo.pr_psargs, saved_command_line, ELF_PRARGSZ); - nhdr->p_filesz = notesize(¬es[1]); + nhdr->p_filesz += notesize(¬es[1]); bufp = storenote(¬es[1], bufp); /* set up the task structure */ @@ -305,7 +308,7 @@ notes[2].datasz = sizeof(struct task_struct); notes[2].data = current; - nhdr->p_filesz = notesize(¬es[2]); + nhdr->p_filesz += notesize(¬es[2]); bufp = storenote(¬es[2], bufp); } /* end elf_kcore_store_hdr() */ - To unsubscribe from this list: send the line "unsubscribe bk-commits-24" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html