| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Dec 2017 23:45:04 +0100 (CET)
From: Thomas Gleixner <tglx@...utronix.de>
To: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
cc: linux-kernel <linux-kernel@...r.kernel.org>,
Andy Lutomirski <luto@...capital.net>,
Peter Zijlstra <peterz@...radead.org>,
Borislav Petkov <bp@...e.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Hugh Dickins <hughd@...gle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: Review of KPTI patchset
On Sat, 30 Dec 2017, Thomas Gleixner wrote:
> On Sat, 30 Dec 2017, Mathieu Desnoyers wrote:
> The only asymetry is in the error path of write_ldt() which can leak a half
> allocated page table. But, that's a nasty one because if there is an
> existing LDT mapped, then the pagetable cannot be freed. So yes, it's not
> nice, but harmless and needs some thought to fix.
In fact it's not a leak. It's just memory waste because the pagetable gets
freed when the process exits.
The memory waste is rather simple to fix. Delta patch below.
Thanks,
tglx
8<--------------
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -421,6 +421,14 @@ static int write_ldt(void __user *ptr, u
*/
error = map_ldt_struct(mm, new_ldt, old_ldt ? !old_ldt->slot : 0);
if (error) {
+ /*
+ * Drop potentially half populated page table if the
+ * mapping code failed and this was the first attempt to
+ * install a LDT. If there is a LDT installed then the LDT
+ * pagetable cannot be freed for obvious reasons.
+ */
+ if (!old_ldt)
+ free_ldt_pgtables(mm);
free_ldt_struct(new_ldt);
goto out_unlock;
}
Powered by blists - more mailing lists