Re: [Security] DoS on x86_64

[Mathias Krause <minipli@googlemail.com>]

[-- Attachment #1: Type: text/plain, Size: 1408 bytes --]

Am 28.01.2010 um 23:33 schrieb Linus Torvalds:
>>
>> - The actual point of no return in the case of binfmt_elf.c is inside
>> the subroutine flush_old_exec() [which makes sense - the actual  
>> process
>> switch shouldn't be dependent on the binfmt] which isn't subject to
>> compat-level macro munging.
>
> Why worry about it? We already do that additional
>
> 	SET_PERSONALITY(loc->elf_ex);
>
> _after_ the flush_old_exec() call anyway in fs/binfmt_elf.c.
>
> So why not just simply remove the whole early SET_PERSONALITY  
> thing, and
> only keep that later one? The comment about "lookup of the  
> interpreter" is
> known to be irrelevant these days, so why don't we just remove it all?
>
> I have _not_ tested any of this, and maybe there is some crazy  
> reason why
> this won't work, but I'm not seeing it.
>
> I think we do have to do that "task_size" thing (which  
> flush_old_exec()
> also does), because it depends on the personality exactly the same way
> STACK_TOP does. But why isn't the following patch "obviously correct"?

Looks good to me because that's almost exactly the thing we already  
tried, too. But by doing so we just got another Oops when executing a  
32 bit program. But, in fact, we forgot the assignment of TASK_SIZE  
which now clearly makes sense. I guess we can try this tomorrow. I'll  
keep you informed.

Thanks for the patch. Looks promising :)


Greets,
Mathias

[-- Attachment #2: Signierter Teil der Nachricht --]
[-- Type: application/pgp-signature, Size: 186 bytes --]