lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOUHufbUUf1--=qiseAYzjN2DdyCkf_x=CQboWYDduH7VgpXmQ@mail.gmail.com> Date: Fri, 16 Sep 2022 20:20:00 -0600 From: Yu Zhao <yuzhao@...gle.com> To: Kees Cook <keescook@...omium.org> Cc: Matthew Wilcox <willy@...radead.org>, Uladzislau Rezki <urezki@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, dev@...-flo.net, Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...hat.com>, linux-kernel <linux-kernel@...r.kernel.org>, "the arch/x86 maintainers" <x86@...nel.org>, linux-perf-users@...r.kernel.org, Linux-MM <linux-mm@...ck.org>, linux-hardening@...r.kernel.org, Linux-Arch <linux-arch@...r.kernel.org> Subject: Re: [PATCH 0/3] x86/dumpstack: Inline copy_from_user_nmi() On Fri, Sep 16, 2022 at 8:01 AM Kees Cook <keescook@...omium.org> wrote: > > Hi, > > This fixes a find_vmap_area() deadlock. The main fix is patch 2, repeated here: > > The check_object_size() helper under CONFIG_HARDENED_USERCOPY is > designed to skip any checks where the length is known at compile time as > a reasonable heuristic to avoid "likely known-good" cases. However, it can > only do this when the copy_*_user() helpers are, themselves, inline too. > > Using find_vmap_area() requires taking a spinlock. The check_object_size() > helper can call find_vmap_area() when the destination is in vmap memory. > If show_regs() is called in interrupt context, it will attempt a call to > copy_from_user_nmi(), which may call check_object_size() and then > find_vmap_area(). If something in normal context happens to be in the > middle of calling find_vmap_area() (with the spinlock held), the interrupt > handler will hang forever. > > The copy_from_user_nmi() call is actually being called with a fixed-size > length, so check_object_size() should never have been called in the > first place. In order for check_object_size() to see that the length is > a fixed size, inline copy_from_user_nmi(), as already done with all the > other uaccess helpers. > > Reported-by: Yu Zhao <yuzhao@...gle.com> > Link: https://lore.kernel.org/all/CAOUHufaPshtKrTWOz7T7QFYUNVGFm0JBjvM700Nhf9qEL9b3EQ@mail.gmail.com > Reported-by: dev@...-flo.net > > Patch 1 is a refactor for patch 2, and patch 3 should make sure we avoid > future deadlocks. Thanks! Tested-by: Yu Zhao <yuzhao@...gle.com> The same test has been holding up well for a few hours now. It used to throw that warning in less than half an hour.
Powered by blists - more mailing lists