git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Linus Torvalds <torvalds@woody.osdl.org>
	Sat, 16 Dec 2006 17:44:32 +0000 (09:44 -0800)
committer	Chris Wright <chrisw@sous-sol.org>
	Wed, 10 Jan 2007 19:05:23 +0000 (11:05 -0800)
commit	e26353af7096103cec474473cbd81dc4190bba77
tree	d151197276e6bc92f1e314f9ec4bd2e6441d3902	tree \| snapshot
parent	85a181bb8fbaf93019651dbfa5034788b7164fa1	commit \| diff

[PATCH] Fix incorrect user space access locking in mincore() (CVE-2006-4814)

Doug Chapman noticed that mincore() will doa "copy_to_user()" of the
result while holding the mmap semaphore for reading, which is a big
no-no. While a recursive read-lock on a semaphore in the case of a page
fault happens to work, we don't actually allow them due to deadlock
schenarios with writers due to fairness issues.

Doug and Marcel sent in a patch to fix it, but I decided to just rewrite
the mess instead - not just fixing the locking problem, but making the
code smaller and (imho) much easier to understand.

Cc: Doug Chapman <dchapman@redhat.com>
Cc: Marcel Holtmann <holtmann@redhat.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Andrew Morton <akpm@osdl.org>
[chrisw: fold in subsequent fix: 4fb23e439ce0]
Acked-by: Hugh Dickins <hugh@veritas.com>
[chrisw: fold in subsequent fix: 825020c3866e]
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>