On 28 April 2016 at 23:30, Andrew Morton <a...@linux-foundation.org> wrote:
> On Thu, 28 Apr 2016 21:04:18 +0200 Mathias Krause <mini...@googlemail.com>
> wrote:
>
>> If /proc/<PID>/environ gets read before the envp[] array is fully set
>> up in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying
>> to read more bytes than are actually written, as env_start will already
>> be set but env_end will still be zero, making the range calculation
>> underflow, allowing to read beyond the end of what has been written.
>>
>> Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
>> zero. It is, apparently, intentionally set last in create_*_tables().
>
> Also, if this is indeed our design then
>
> a) the various create_*_tables() should have comments in there which
> explain this subtlety to the reader. Or, better, they use a common
> helper function for this readiness-signaling operation because..
>
> b) we'll need some barriers there to ensure that the environ_read()
> caller sees the create_*_tables() writes in the correct order.
I totally agree that this kind of "synchronization" is rather fragile.
Adding comments won't help much, I fear. Rather a dedicated flag,
signaling "process ready for inspection" may be needed. So far, that's
what env_end is (ab-)used for.
Regards,
Mathias
