lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 20 Sep 2016 22:03:26 +0100
From:   Al Viro <viro@...IV.linux.org.uk>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Heiko Carstens <heiko.carstens@...ibm.com>,
        Martin Schwidefsky <schwidefsky@...ibm.com>,
        Jan Stancek <jstancek@...hat.com>,
        Arnd Bergmann <arnd@...db.de>, Greg Ungerer <gerg@...inux.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] fix fault_in_multipages_...() on architectures with
 no-op access_ok()

On Tue, Sep 20, 2016 at 01:48:10PM -0700, Linus Torvalds wrote:
> On Tue, Sep 20, 2016 at 1:38 PM, Al Viro <viro@...iv.linux.org.uk> wrote:
> >
> > Not the point.  Of course it *would* fail; the problem is that the loop
> > that would ping each page is never executed.
> 
> You're missing the point.
> 
> If "access_ok()" is fine with wrapping, then some otehr system call
> that wraps will successfully do a memcpy_from/to_user() with a wrapped
> address (and the proper mappings).

What proper mappings?  If you manage to mmap something at (void*)-PAGE_SIZE,
you are very deep in trouble regardless.  We use IS_ERR() on userland
pointers and any architecture where that would be possible would be confused
as hell.

The testcase here is uaddr = (void *)-1, len = (unsigned long)valid_addr + 2.
If it tried to do __put_user(uaddr, 0) it would immediately fail, just as
__copy_to_user(uaddr, len); the problem is, that call will only do
__put_user(valid_addr, 0) and succeed.

Again, if get_user/put_user/copy_{to,from}_user() anywhere near ERR_PTR(...)
would succeed, we'd get trouble without any wraparounds.  That page should
be absent, and it really is.  In all cases, s390 included.  Wraparound is
irrelevant here.  The reason why it got spotted was persistent failure of
copy_{to,from}_user after successful fault-ins.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ