| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Mar 2009 15:40:02 +0100
From: Ingo Molnar <mingo@...e.hu>
To: prasad@...ux.vnet.ibm.com
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Alan Stern <stern@...land.harvard.edu>,
Roland McGrath <roland@...hat.com>
Subject: Re: [patch 08/11] Modify Ptrace routines to access breakpoint
registers
* prasad@...ux.vnet.ibm.com <prasad@...ux.vnet.ibm.com> wrote:
> -static unsigned long debugreg_addr_limit(struct task_struct *task)
> -{
> -#ifdef CONFIG_IA32_EMULATION
> - if (test_tsk_thread_flag(task, TIF_IA32))
> - return IA32_PAGE_OFFSET - 3;
> -#endif
> - return TASK_SIZE_MAX - 7;
> -}
> -
I dont see where this security check has been carried over into
the generic code. The new code has:
+int arch_check_va_in_userspace(unsigned long va, struct task_struct *tsk)
+{
+ return (va < TASK_SIZE);
+}
but i think that misses the detail that it's not just the start
address of an x86 breakpoint that has to be considered, but also
the end addess of it.
For example a hardware breakpoint can be at 0xbfffffff with a
length of 4 bytes - thus overlapping into kernel-space by 3
bytes. It is important to not let that happen.
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists