Menu
▾
▴
[Lse-tech] Security critical race condition in epoll code
|
From: John G. M. <jg...@ne...> - 2002-10-29 01:47:56
|
There appears to be a race condition in the epoll patch which permits user space to scribble in the kernel's free memory. First a user space program creates an epoll fd and adds a socket to it using sys_epoll_ctl(...EP_CTL_ADD...) Then the program creates two threads, A and B. Simultaneously, A calls sys_epoll_ctl(...EP_CTL_MOD...) and B calls sys_epoll_ctl(...EP_CTL_DEL...) on the socket that was previously added. Thread A runs up through the point where ep_find() returns the (struct epitem *) for the socket. Thread B then runs and ep_remove() frees the (struct epitem *). Thread A then runs some more and stores the value of events into the now freed block of memory pointed to by dpi. |