KASAN: use-after-free Read in task_is_descendant
Tetsuo Handa
penguin-kernel at i-love.sakura.ne.jp
Fri Oct 26 13:51:42 UTC 2018
On 2018/10/26 22:04, Oleg Nesterov wrote:
>> Suppose p1 == p2->real_parent and p2 == p3->real_parent, and p1 exited
>> when p2 tried to attach on p1, p2->real_parent was pointing to already
>> (or about to be) freed p1.
>
> No, p2->real_parent will be updated. If p1 exits it will re-parent its
> children including p2.
My error.
Suppose p1 == p2->real_parent and p2 == p3->real_parent, and p1 exited
when someone tried to attach on p2, p2->real_parent was pointing to already
(or about to be) freed p1.
So, the puzzle part is why p2->real_parent was still pointing p1 even after
p1 was freed...
>
> Again, did you read my previous email?
Yes. But I still can't be convinced that pid_alive() test helps.
More information about the Linux-security-module-archive
mailing list