lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200907141521.47719.arnd@arndb.de>
Date:	Tue, 14 Jul 2009 15:21:47 +0200
From:	Arnd Bergmann <arnd@...db.de>
To:	monstr@...str.eu
Cc:	Linux Kernel list <linux-kernel@...r.kernel.org>,
	LTP <ltp-list@...ts.sourceforge.net>
Subject: Re: access_ok macor

On Tuesday 14 July 2009, Michal Simek wrote:
> I found that I can setup text base in binutils/ld/emulparam/elf32mb_linux.sh
> 
> The problem which I have is that if I run socketpair, getsockname, getpeername LTP
> tests with invalid salen pointer there are addresses close to 0x0. Microblaze
> has no text there and the sigsegv fault is generated.

This sounds like a classic NULL pointer dereference that is handled correctly
by the kernel. The question is where the address came from.

> This fault could be fixed by changed access_ok macro where I check bottom limit
> at 0x1000 0000 too. After this change the LTP program not failed but I am not sure
> if is the right solution because none arch do it. All archs just check upper limit
> not lower.
> 
> What is the correct solution for it? Moving .text base to 0x0 or is there any other
> elegant solution?

Moving .text is not the right solution, because it only papers over real bugs.
access_ok() is also not the right place to check this, the only purpose it has
is to make sure that the argument is not a valid kernel address but either a
valid user address or possibly invalid address. Also, access_ok() is only used
together with the copy_from/to_user and get/put_user function families. These
need to catch invalid addresses with a fixup table entry in the kernel.

I briefly looked at your implementation but could not find any problems in
this area. Could you use gdb to find out whether the sigsegv happens in the
kernel at all, or in user space?

	Arnd <><
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ