lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sat, 9 Jul 2016 10:07:34 -0700
From:	Kees Cook <keescook@...omium.org>
To:	Valdis Kletnieks <Valdis.Kletnieks@...edu>
Cc:	"kernel-hardening@...ts.openwall.com" 
	<kernel-hardening@...ts.openwall.com>,
	Christoph Lameter <cl@...ux.com>, Jan Kara <jack@...e.cz>,
	Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will.deacon@....com>,
	Linux-MM <linux-mm@...ck.org>,
	sparclinux <sparclinux@...r.kernel.org>,
	linux-ia64@...r.kernel.org, Andrea Arcangeli <aarcange@...hat.com>,
	linux-arch <linux-arch@...r.kernel.org>,
	"x86@...nel.org" <x86@...nel.org>,
	Russell King <linux@...linux.org.uk>,
	PaX Team <pageexec@...email.hu>, Borislav Petkov <bp@...e.de>,
	Mathias Krause <minipli@...glemail.com>,
	Fenghua Yu <fenghua.yu@...el.com>,
	Rik van Riel <riel@...hat.com>,
	David Rientjes <rientjes@...gle.com>,
	Tony Luck <tony.luck@...el.com>,
	Andy Lutomirski <luto@...nel.org>,
	Joonsoo Kim <iamjoonsoo.kim@....com>,
	Dmitry Vyukov <dvyukov@...gle.com>,
	Laura Abbott <labbott@...oraproject.org>,
	Brad Spengler <spender@...ecurity.net>,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Pekka Enberg <penberg@...nel.org>,
	Case y Sc hauf ler <casey@...aufler-ca.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	"linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>,
	"David S. Miller" <davem@...emloft.net>,
	"linux-arm-kernel@...ts.infradead.org" 
	<linux-arm-kernel@...ts.infradead.org>
Subject: Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support

On Fri, Jul 8, 2016 at 11:17 PM,  <Valdis.Kletnieks@...edu> wrote:
> Yeah, 'ping' dies with a similar traceback going to rawv6_setsockopt(),
> and 'trinity' dies a horrid death during initialization because it creates
> some sctp sockets to fool around with.  The problem in all these cases is that
> setsockopt uses copy_from_user() to pull in the option value, and the allocation
> isn't tagged with USERCOPY to whitelist it.

Just a note to clear up confusion: this series doesn't include the
whitelist protection, so this appears to be either bugs in the slub
checker or bugs in the code using the cfq_io_cq cache. I suspect the
former. :)

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ