lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <1401357089-24959-2-git-send-email-richard@nod.at>
Date:	Thu, 29 May 2014 11:51:29 +0200
From:	Richard Weinberger <richard@....at>
To:	user-mode-linux-devel@...ts.sourceforge.net
Cc:	linux-kernel@...r.kernel.org, Richard Weinberger <richard@....at>
Subject: [PATCH 2/2] um: Detect kernel userspace access

>From time to time users report that UML hangs and consumes 100% CPU
on the host side.
Analyzing such an issue uncovered a bug in UML's page fault
handler. If the kernel tries to access userspace memory without
copy_from/to_user() UML receives a SIGSEGV and tries to handle
it. As the page fault handler is not designed to fix such faults the
SIGSEGV stays and UML consumes all CPU handling SIGSEGV.
The only sane thing we can do here is calling panic().

This patch helps to detect bad memory access from the kernel side.

Signed-off-by: Richard Weinberger <richard@....at>
---
 arch/um/kernel/trap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
index b0a3017..04a6de4 100644
--- a/arch/um/kernel/trap.c
+++ b/arch/um/kernel/trap.c
@@ -222,6 +222,9 @@ unsigned long segv(struct faultinfo fi, unsigned long ip, int is_user,
 		if (!is_user && address < PAGE_SIZE) {
 			show_regs(container_of(regs, struct pt_regs, regs));
 			panic("NULL pointer dereference at ip:0x%lx address:0x%lx", ip, address);
+		} else if (!is_user && address < task_size) {
+			show_regs(container_of(regs, struct pt_regs, regs));
+			panic("Kernel tried to access userspace at ip:0x%lx address:0x%lx", ip, address);
 		}
 
 		err = handle_page_fault(address, ip, is_write, is_user,
-- 
1.8.4.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ