Hello, I'm wondering whether there is an exploitable TOCTTOU race condition in the way user pointers are handled in the kernel. Consider the following code:
1: struct st { int *u; }; 2: void syscall(struct st * stp) { 3: if (!access_ok(VERIFY_READ,stp,sizeof(struct st))) 4: return; 5: if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int))) 6: return; 7: foo(); //user app writes a kernel address to stp->u 8: *(stp->u) = 0; 9:} Suppose syscall is some system call and, thus, stp and stp->u are user pointers. The function checks the stp and stp->u pointers using the access_ok macro on lines 3 and 5. Also suppose that the call to foo on line 7 takes a non-trivial amount of time to execute. During the time it takes foo to execute, the user application writes a kernel address to stp->u. Note that this write occurs after the check on line 5. Then, on line 8, the kernel writes to stp->u which contains a kernel address. So, the user application could force the kernel to overwrite itself. Is it possible to exploit this race condition? If so, does Sparse check for this? -SKB _________________________________________________________________ Download Messenger. Start an i’m conversation. Support a cause. Join now. http://im.live.com/messenger/im/home/?source=TAGWL_MAY07- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/