| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4EDCA87F.6020201@kernel.org> Date: Mon, 05 Dec 2011 03:18:23 -0800 From: "H. Peter Anvin" <hpa@...nel.org> To: Andy Lutomirski <luto@...capital.net> CC: Linus Torvalds <torvalds@...ux-foundation.org>, x86@...nel.org, Ingo Molnar <mingo@...e.hu>, richard -rw- weinberger <richard.weinberger@...il.com>, Adrian Bunk <bunk@...sta.de>, "H. Peter Anvin" <hpa@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org Subject: Re: [PATCH 0/2] Fix and re-enable vsyscall=emulate On 12/02/2011 02:47 PM, Andy Lutomirski wrote: > On Mon, Nov 7, 2011 at 4:33 PM, Andy Lutomirski <luto@...capital.net> wrote: >> The really nice fix (wiring up access_ok failures to be able to raise >> signals) won't be ready on time for 3.2, so let's try the simpler fix >> for now. > > I spoke to hpa about this a couple days ago, and he pointed out a > problem with making access_ok send signals. Userspace expects signals > that come with full context information to be restartable, and many > system calls are not restartable. read() and write() are the obvious > examples: once they're processed the beginning of the buffer, unless > they adjust their parameters, they can't safely be restarted. So > without massive changes, I think allowing access_ok to raise a signal > with full context is asking for trouble. > > I can still do the patch with two modes: signals without context via > arch_prctl and signals with context via vsyscall emulation, but that's > probably overkill for fixing this bug. I'd say just apply these > patches as is (for 3.3). > It's somewhat questionable if the "return -EFAULT and deliver SIGSEGV" semantic resolves the problem; obviously the signal handler isn't restartable, but returning from the signal handler will at least cause the application to see the EFAULT and not try to restart a system call in a way that is likely to cause massive failure. If the handler is aware about what needs to be done then it can correct the situation and restart the system call -- but it would have to have detailed information about the state before the system call. I am also concerned about information leaks from the kernel. The existing kernel paths are not necessarily designed to be robust against giving out additional error information. This may be a theoretical concern, but there have been real security holes in the past from these kinds of changes. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists