lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20131126135454.b5e9597a998509f1ab43cee4@linux-foundation.org>
Date:	Tue, 26 Nov 2013 13:54:54 -0800
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	"H. Peter Anvin" <hpa@...or.com>
Cc:	Ingo Molnar <mingo@...nel.org>, Al Viro <viro@...IV.linux.org.uk>,
	Thomas Gleixner <tglx@...utronix.de>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Vitaly Mayatskikh <v.mayatskih@...il.com>
Subject: Re: copy_from_user_*() and buffer zeroing

On Tue, 26 Nov 2013 13:07:07 -0800 "H. Peter Anvin" <hpa@...or.com> wrote:

> I just started looking into the horribly confused state of buffer
> zeroing for the various copy_from_user variants.  This came up after we
> did some minor tuning last week.
> 
> copy_from_user_inatomic() seems to be documented to not zero the buffer.
>  This is definitely *NOT* true on x86-64, although it does seem to be
> true on i386 -- on x86-64, we carry along a "zerorest" flag but in all
> possible codepaths it will be set to true unless the remaining byte
> count is zero anyway.
> 
> Furthermore, on at least x86-64, if we do an early bailout, we don't
> zero the entire buffer in the case of a hard-coded 10- or 16-byte buffer
> (why only those sizes is anybody's guess.)  See lines 71-88 of uaccess_64.h.
> 
> I'd like to figure out what is the required and what is the desirable
> behavior here, and then fix the code accordingly.
> 

Nine years ago:

commit 7079f897164cb14f616c785d3d01629fd6a97719
Author: mingo <mingo>
Date:   Fri Aug 27 17:33:18 2004 +0000

    [PATCH] Add a few might_sleep() checks
    
    Add a whole bunch more might_sleep() checks.  We also enable might_sleep()
    checking in copy_*_user().  This was non-trivial because of the "copy_*_user()
    in atomic regions" trick would generate false positives.  Fix that up by
    adding a new __copy_*_user_inatomic(), which avoids the might_sleep() check.
    
    Only i386 is supported in this patch.


I can't think of any reason why __copy_from_user_inatomic() should be
non-zeroing.  But maybe I'm missing something - this would pretty
easily permit uninitialised data to appear in pagecache and someone
surely would have noticed..

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ