lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4A5CB8B4.7050108@monstr.eu>
Date:	Tue, 14 Jul 2009 18:56:20 +0200
From:	Michal Simek <monstr@...str.eu>
To:	Arnd Bergmann <arnd@...db.de>
CC:	Linux Kernel list <linux-kernel@...r.kernel.org>,
	LTP <ltp-list@...ts.sourceforge.net>
Subject: Re: access_ok macor

Arnd Bergmann wrote:
> On Tuesday 14 July 2009, Michal Simek wrote:
>> Arnd Bergmann wrote:
> 
>>>>  r29=00000000, r30=00000000, r31=CE9759A4, rPC=C000123C
>>>>  msr=800045AE, ear=00000001, esr=000000B2, fsr=000080D0
>>>> Segmentation fault
>>>>
>>> I guess then you should check if 0xc000123c is in your
>>> exception table, or why it is not.
>> on that address is load instruction for unaligned exception because addr is odd number
>> that's why is called unaligned exception handler and from this function
>> is called load instruction which failed. :-(
>>
>> Currently this make more sense why that tests failed. If that pointers are
>> even number exception is not taken and exception sure don't have fixup for it because
>> this is generic code. :-(
>>
>> That's the problem because we are looking for regs->pc but this point to unaligned exception
>> handler.
> 
> Ok, that makes a lot of sense.
> 
> The solution then is to handle fixups from the unaligned exception handler
> if you come from the kernel. That should fix the three text cases.
> 
> I don't fully understand your exception handling there, but I think you
> also need to add code checking for __range_ok() to your unaligned handler,
> to prevent malicious user space code from accessing the kernel through
> unaligned pointers.

when the code tried to read/write from unaligned address (and in cpu is turn on unaligned exception)
then is caused unaligned exception and asm code assemble/return value which is on that unaligned
address. (Assemble it that read/write every byte separately). That will be harder to prevent all
this cases because unaligned exception is in generic code.
What do you mean add __range_ok? Range checking is ok. The problem is when in case get_user kernel
try to load unaligned addr - unaligned exception is perform and try to load that value separately.
If that page is not there, page fault handler is called and not find it, it is performed search
from exception table and that address is not there of course - because address in pc is generic
unaligned code. I think that handling this needs more code.
Maybe if the address with from unaligned exception handler (there are some address which can caused
it) and find out which aligned address is there and find out proper fixup for it.
I think that this could work.

What do you think?

Michal



> 
> 	Arnd <><


-- 
Michal Simek, Ing. (M.Eng)
w: www.monstr.eu p: +42-0-721842854
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ