| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Aug 2023 16:59:07 +0800
From: yunlong xing <yunlongxing23@...il.com>
To: Kees Cook <keescook@...omium.org>
Cc: Yunlong Xing <yunlong.xing@...soc.com>, tony.luck@...el.com,
gpiccoli@...lia.com, joel@...lfernandes.org, enlin.mu@...soc.com,
linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
enlinmu@...il.com
Subject: Re: [PATCH 1/1] pstore/ram: Check member of buffers during the
initialization phase of the pstore
On Fri, Aug 4, 2023 at 4:10 PM Kees Cook <keescook@...omium.org> wrote:
>
> On Tue, Aug 01, 2023 at 02:04:32PM +0800, Yunlong Xing wrote:
> > From: Enlin Mu <enlin.mu@...soc.com>
> >
> > The commit 30696378f68a("pstore/ram: Do not treat empty buffers as valid")
> > would introduce the following issue:
> >
> > When finding the buffer_size is zero, it would return directly.However, at
> > the same time, if the buffer's start is a illegal value, the others would
> > panic if access the buffer.
>
> Which "others" do you mean?
About “others", You can refer to the following panic call stack:
sysdump_panic_event+0x720/0xd38
atomic_notifier_call_chain+0x58/0xc0
panic+0x1c4/0x6e4
die+0x3c0/0x428
bug_handler+0x4c/0x9c
brk_handler+0x98/0x14c
do_debug_exception+0x114/0x2ec
el1_dbg+0x18/0xbc
usercopy_abort+0x90/0x94
__check_object_size+0x17c/0x2c4
persistent_ram_update_user+0x50/0x220
persistent_ram_write_user+0x354/0x428
ramoops_pstore_write_user+0x34/0x50
write_pmsg+0x14c/0x26c
do_iter_write+0x1cc/0x2cc
vfs_writev+0xf4/0x168
do_writev+0xa4/0x200
__arm64_sys_writev+0x20/0x2c
el0_svc_common+0xc8/0x22c
el0_svc_handler+0x1c/0x28
el0_svc+0x8/0x100
>
> > To avoid these happenning, check if the members are legal during the
> > initialization phase of the pstore.
> >
> > Fixes: 30696378f68a ("pstore/ram: Do not treat empty buffers as valid")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Enlin Mu <enlin.mu@...soc.com>
> > ---
> > fs/pstore/ram_core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
> > index 85aaf0fc6d7d..eb6df190d752 100644
> > --- a/fs/pstore/ram_core.c
> > +++ b/fs/pstore/ram_core.c
> > @@ -519,7 +519,7 @@ static int persistent_ram_post_init(struct persistent_ram_zone *prz, u32 sig,
> > sig ^= PERSISTENT_RAM_SIG;
> >
> > if (prz->buffer->sig == sig) {
> > - if (buffer_size(prz) == 0) {
> > + if (buffer_size(prz) == 0 && buffer_start(prz) == 0) {
> > pr_debug("found existing empty buffer\n");
> > return 0;
> > }
>
> And in the case of "buffer_size(prz) == 0" but "buffer_start(prz) != 0",
> this will be caught by:
>
> if (buffer_size(prz) > prz->buffer_size ||
> buffer_start(prz) > buffer_size(prz)) {
> pr_info("found existing invalid buffer, size %zu, start %zu\n",
> buffer_size(prz), buffer_start(prz));
> zap = true;
> }
>
> i.e. it will be detected and zapped back to a sane state.
No,This code has no chance of execution because there was a return 0 before it
>
> That sounds correct to me, though I wonder if reporting it as an
> "invalid buffer" is inaccurate? Perhaps we should have a separate case:
>
> if (buffer_size(prz) == 0) {
> if (buffer_start(prz) == 0)
> pr_debug("found existing empty buffer\n");
> else {
> pr_debug("found existing empty buffer with non-zero start\n");
> zap = true;
> }
> } else if ...
>
> What do you think?
Good, I gree it. For me, it should not return directly while finding
the buffer_size is zero, We need Check others case.
So does the modification method you mentioned require me to resubmit a
patch or do you need to modify and merge it
>
> --
> Kees Cook
Powered by blists - more mailing lists