size

Meng Xu Tue, 29 Aug 2017 12:11:23 -0700

From: Meng Xu <[email protected]>

`attr->size` after the second fetch `copy_from_user(attr, uattr, size)`,
can be different from what is initially fetched in and checked
`get_user(size, &uattr->size)` by racing condition in the userspace.


The issue and the patch are both similar to commit f12f42a
(in kernel/events/core.c).

Signed-off-by: Meng Xu <[email protected]>
---
 kernel/sched/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 0869b20..c22d2b4 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4349,6 +4349,8 @@ static int sched_copy_attr(struct sched_attr __user 
*uattr, struct sched_attr *a
        if (ret)
                return -EFAULT;
 
+       attr->size = size;
+
        /*
         * XXX: Do we want to be lenient like existing syscalls; or do we want
         * to be strict and return an error on out-of-bounds values?
-- 
2.7.4

[PATCH] sched/core: Fix a potential double fetch bug on attr->size

Reply via email to