• Lucas De Marchi's avatar
    sysctl: protect poll() in entries that may go away · 4e474a00
    Lucas De Marchi authored
    Protect code accessing ctl_table by grabbing the header with grab_header()
    and after releasing with sysctl_head_finish().  This is needed if poll()
    is called in entries created by modules: currently only hostname and
    domainname support poll(), but this bug may be triggered when/if modules
    use it and if user called poll() in a file that doesn't support it.
    
    Dave Jones reported the following when using a syscall fuzzer while
    hibernating/resuming:
    
    RIP: 0010:[<ffffffff81233e3e>]  [<ffffffff81233e3e>] proc_sys_poll+0x4e/0x90
    RAX: 0000000000000145 RBX: ffff88020cab6940 RCX: 0000000000000000
    RDX: ffffffff81233df0 RSI: 6b6b6b6b6b6b6b6b RDI: ffff88020cab6940
    [ ... ]
    Code: 00 48 89 fb 48 89 f1 48 8b 40 30 4c 8b 60 e8 b8 45 01 00 00 49 83
    7c 24 28 00 74 2e 49 8b 74 24 30 48 85 f6 74 24 48 85 c9 75 32 <8b> 16
    b8 45 01 00 00 48 63 d2 49 39 d5 74 10 8b 06 48 98 48 89
    
    If an entry goes away while we are polling() it, ctl_table may not exist
    anymore.
    Reported-by: default avatarDave Jones <davej@redhat.com>
    Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@profusion.mobi>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Alexey Dobriyan <adobriyan@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    4e474a00
proc_sysctl.c 38.9 KB