Re: [PATCH] fix page leak during core dump

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Andrew Morton

Subject: Re: [PATCH] fix page leak during core dump

Date: Friday, March 30, 2007 - 3:13 pm

On Fri, 30 Mar 2007 23:01:45 +0100 (BST)
Hugh Dickins <hugh@veritas.com> wrote:

quoted text> On Fri, 30 Mar 2007, Andrew Morton wrote:
> > On Thu, 29 Mar 2007 13:39:13 -0700
> > Brian Pomerantz <bapper@piratehaven.org> wrote:
> > 
> > > When the dump cannot occur most likely because of a full file system
> > > and the page to be written is the zero page, the call to
> > > page_cache_release() is missed.
> > > 
> > > Signed-off-by: Brian Pomerantz <bapper@mvista.com>
> > > 
> > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> > > index a2fceba..9cc4f0a 100644
> > > --- a/fs/binfmt_elf.c
> > > +++ b/fs/binfmt_elf.c
> > > @@ -1704,7 +1704,10 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file)
> > >  				DUMP_SEEK(PAGE_SIZE);
> > >  			} else {
> > >  				if (page == ZERO_PAGE(addr)) {
> > > -					DUMP_SEEK(PAGE_SIZE);
> > > +					if (!dump_seek(file, PAGE_SIZE)) {
> > > +						page_cache_release(page);
> > > +						goto end_coredump;
> > > +					}
> > 
> > Oh for gawds sake I wish we could be rid of those idiotic macros :(
> > 
> > This patch looks OK to me, although a refcount leak on the ZERO_PAGE is
> > special, because that page is PageReserved().
> > 
> > It used to be the case that we'd ignore attempts to change the refcount on
> > reserved pages (or at least on the ZERO_PAGE), but we changed that, so we
> > now actually refcount the ZERO_PAGE.  (I think, from a quick read of the
> > code.  This contradicts my memory of how it works).
> > 
> > So I expect the net effect here is that a sufficiently determined attacker
> > can overflow the ZERO_PAGE's refcount, thus causing it to be "freed".  The
> > page allocator won't actually free the page due to PG_Reserved, but it'll
> > all become very noisy.
> > 
> > Nick, Hugh: agree?
> 
> I think so - lots of "Bad page state" messages as the count bounces
> around the 0 mark, but not actually freed.  But when CONFIG_DEBUG_VM
> you'll get BUG_ONs.  And I can't swear bad things won't happen some-
> where once the count wraps to negative.  Easier to fix than work out
> the consequences.
> 
> (Of course, Nick is right now proposing a patch to take us back the
> other way, back to not accounting the ZERO_PAGE: so the fix needs
> to go in, then he'll need to reverse that again in his patch.)

OK.

quoted text> Doesn't fs/binfmt_elf_fdpic.c need the same fix?  It looks slightly
> different there, but I think when you look closer there's exactly
> the same issue?

Think so.  David, does it look OK?

<would anyone be interested in hearing my opinion on the DUMP_SEEK macro
again?>


From: Brian Pomerantz <bapper@piratehaven.org>

When the dump cannot occur most likely because of a full file system and
the page to be written is the zero page, the call to page_cache_release()
is missed.

Signed-off-by: Brian Pomerantz <bapper@mvista.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/binfmt_elf.c       |    5 ++++-
 fs/binfmt_elf_fdpic.c |    6 ++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff -puN fs/binfmt_elf.c~fix-page-leak-during-core-dump fs/binfmt_elf.c
--- a/fs/binfmt_elf.c~fix-page-leak-during-core-dump
+++ a/fs/binfmt_elf.c
@@ -1704,7 +1704,10 @@ static int elf_core_dump(long signr, str
 				DUMP_SEEK(PAGE_SIZE);
 			} else {
 				if (page == ZERO_PAGE(addr)) {
-					DUMP_SEEK(PAGE_SIZE);
+					if (!dump_seek(file, PAGE_SIZE)) {
+						page_cache_release(page);
+						goto end_coredump;
+					}
 				} else {
 					void *kaddr;
 					flush_cache_page(vma, addr,
diff -puN fs/binfmt_elf_fdpic.c~fix-page-leak-during-core-dump fs/binfmt_elf_fdpic.c
--- a/fs/binfmt_elf_fdpic.c~fix-page-leak-during-core-dump
+++ a/fs/binfmt_elf_fdpic.c
@@ -1480,8 +1480,10 @@ static int elf_fdpic_dump_segments(struc
 				DUMP_SEEK(file->f_pos + PAGE_SIZE);
 			}
 			else if (page == ZERO_PAGE(addr)) {
-				DUMP_SEEK(file->f_pos + PAGE_SIZE);
-				page_cache_release(page);
+				if (!dump_seek(file, file->f_pos + PAGE_SIZE)) {
+					page_cache_release(page);
+					return 0;
+				}
 			}
 			else {
 				void *kaddr;
_

-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH] fix page leak during core dump, Brian Pomerantz, (Thu Mar 29, 1:39 pm)

Re: [PATCH] fix page leak during core dump, Andrew Morton, (Fri Mar 30, 1:43 pm)

Re: [PATCH] fix page leak during core dump, Hugh Dickins, (Fri Mar 30, 3:01 pm)

Re: [PATCH] fix page leak during core dump, Andrew Morton, (Fri Mar 30, 3:13 pm)

Re: [PATCH] fix page leak during core dump, Hugh Dickins, (Fri Mar 30, 4:06 pm)

Re: [PATCH] fix page leak during core dump , David Howells, (Sat Mar 31, 5:57 am)

Re: [PATCH] fix page leak during core dump , David Howells, (Sat Mar 31, 5:59 am)

Navigation

Popular discussions


linux-kernel:
Paul Turner	[tg_shares_up rewrite v4 11/11] sched: update tg->shares after cpu.shares write
Matthew Garrett	Re: [PATCH] Enable speedstep for sonoma processors.
Mauro Carvalho Chehab	Re: [PATCH 1/2] media: Add timberdale video-in driver
Peter Zijlstra	[PATCH 23/30] netvm: skb processing
Greg Kroah-Hartman	[PATCH 21/28] cgroupfs: create /sys/fs/cgroup to mount cgroupfs on
git:
Jan Hudec	Re: GIT push to sftp (feature request)
Steffen Prohaska	[PATCH 0/4] core.ignorecase
Johannes Schindelin	Re: Git checkout preserve timestamp?
Linus Torvalds	[PATCH 1/7] Make unpack_trees_options bit flags actual bitfields
Johan Herland	Re: What's cooking in git.git (Oct 2010, #01; Wed, 13)
linux-netdev:
David Miller	Re: [PATCH 1/3] f_phonet: dev_kfree_skb instead of dev_kfree_skb_any in TX callback
Richard Cochran	Re: [PATCH v3 3/3] ptp: Added a clock that uses the eTSEC found on the MPC85xx.
Jan Engelhardt	Re: [PATCH] Fix netfilter xt_time's time_mt()'s use of do_div()
Herbert Xu	Re: [RFC PATCH 00/17] virtual-bus
Jeff Kirsher	Re: [net-next-2.6 PATCH] e1000e: don't inadvertently re-set INTX_DISABLE
git-commits-head:
Linux Kernel Mailing List	ALSA: hda - Enable beep on Realtek codecs with PCI SSID override
Linux Kernel Mailing List	Use path_put() in a few places instead of {mnt,d}put()
Linux Kernel Mailing List	mv643xx_eth: use sw csum for big packets
Linux Kernel Mailing List	arm: fix HAVE_CLK merge goof
Linux Kernel Mailing List	arm: convert pcm037 platform to use smsc911x
freebsd-current:
David Wolfskill	"interrupt storm..."; seems associated with an0 NIC
Andriy Gapon	Re: letting glabel recognise a media change
Garrett Cooper	Re: Only display ACPI bootmenu key if ACPI is present
Pyun YongHyeon	CFT: msk(4) Rx checksum offloading support
FreeBSD Tinderbox	[head tinderbox] failure on sparc64/sparc64

Colocation donated by:

Syndicate