![Linus Torvalds in ascii art easy ascii Linus Torvalds in ascii art easy ascii](http://i2.kym-cdn.com/photos/images/original/000/592/801/64d.jpg)
Linus agreed that a code comment would be fine.
![Linus Torvalds in ascii art easy ascii Linus Torvalds in ascii art easy ascii](https://i.stack.imgur.com/XCzJG.jpg)
Jann suggested at least including a code comment to let people know this wasn't how to do things.Įven better, Jann said, would be that, "Since the read is already protected by the tasklist_lock, an alternative might be to let the execve path also take that lock to protect the sequence number update, given that execve is not a particularly hot path." It could also lead developers to unwittingly copy that same broken code for use elsewhere. This could theoretically break tools that tested kernel security. Jann agreed the risk was low, but said the code was simply technically wrong and amounted to having an "intentional race" condition in the kernel. If you have that kind of God-like capability, whoever you're attacking stands no chance in the first place." He said that in order to exploit that vulnerability, "first you'd have to work however many weeks to do 4 billion execve() calls, and then you need to hit basically a single-instruction race to take advantage of it. The reciprocal term "load tearing" refers to when it takes two instructions to read a piece of data. Jann said that while 64-bit CPUs would probably be fine, 32-bit CPUs would be vulnerable to "store tearing." Store tearing is the name for what Eric described – when it takes two instructions to write a piece of data, and those two instructions can be "torn" by malicious code to take advantage of the fact that the actual data is different from what we think it is in that brief instant. Jann wrote some test code that reduced Eric's 14-day rollover to 14 hours. Linus Torvalds acknowledged the patch, saying it didn't seem urgent, and asked Eric to put it in his own source tree, where it would percolate up to Linus the next time he took a merge from that tree. During that time, he said, this security hole remained exploitable. However, Eric did acknowledge that on 32-bit CPUs, "reading self_exec_id is no longer atomic and can take two read instructions." This meant that on 32-bit systems there would be a microscopic window of time when the actual self_exec_id value would not match the value being read by the code. Faster systems, of course, could do it more quickly. He added that he had tested this hole and found that he could wrap the 32-bit exec_id and exploit the problem in two weeks. This would fix the problem that, as he put it, "With care an attacker can cause exec_id wrap and send arbitrary signals to a newly exec'd parent." Biederman recently posted a patch to replace a 32-bit counter with a 64-bit counter.