lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <9E41D070-24A2-48B8-9AF2-47B575228BF1@gmail.com>
Date:	Wed, 5 Aug 2015 11:30:28 +0800
From:	yalin wang <yalin.wang2010@...il.com>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Ingo Molnar <mingo@...nel.org>, dave@...1.net,
	David Rientjes <rientjes@...gle.com>, fabf@...net.be,
	bhe@...hat.com, open list <linux-kernel@...r.kernel.org>
Subject: Re: [RFC] kcore:change kcore_read to make sure the kernel read is safe


> On Aug 5, 2015, at 06:38, Andrew Morton <akpm@...ux-foundation.org> wrote:
> 
> On Tue, 4 Aug 2015 11:37:57 +0800 yalin wang <yalin.wang2010@...il.com> wrote:
> 
>> This change kcore_read() to use __copy_from_user_inatomic() to
>> copy data from kernel address, because kern_addr_valid() just make sure
>> page table is valid during call it, whne it return, the page table may
>> change, for example, like set_fixmap() function will change kernel page
>> table, then maybe trigger kernel crash if encounter this unluckily.
> 
> The changelog is a bit hard to follow.  How does this version look?
> 
> : read_kcore() does a copy_to_user() from kernel memory.  This could cause a
> : crash if the source (kernel) address is concurrently unmapped via, say,
> : set_fixmap().  The kern_addr_valid() check is racy and won't reliably
> : prevent this.
> : 
> : Change kcore_read() to use __copy_from_user_inatomic() via a temporary
> : buffer to catch such situations.
> 
> What actually happens when copy_to_user() gets a fault on the source
> address?  It *could* handle it and return -EFAULT.  I forget...
> 
> Also...  what is special about this particular copy_to_user()?  Isn't
> every copy_to_user() in the kernel vulnerable to a concurrent
> set_fixmap()?  Is it that only read_kcore() will read pages which are
> subject to set_fixmap() alteration?
> 
Thanks for your great comment .
i agree with your git change log,
one more question, at first i only focus on arm64 arch,
it only check __user* address during copy_from{to}_user,
but other architecther like X86 check both source and dest address
in copy_from{to}_user, is there some special reason do like this?
in my view , just need check __user* address is enough, and if also
have ex_table for kernel address access maybe hide some BUG in kernel ,
i think kernel don’t need it, or am i miss something ?

if copy_from{to}_user both check source and dest address,
we don’t need this patch, it is safe .
Maybe we need one more API , like:
copy_data_in_user(__user *source, __user *dest, size_t size)  ??
>> --- a/fs/proc/kcore.c
>> +++ b/fs/proc/kcore.c
>> @@ -86,8 +86,8 @@ static size_t get_kcore_size(int *nphdr, size_t *elf_buflen)
>> 			size = try;
>> 		*nphdr = *nphdr + 1;
>> 	}
>> -	*elf_buflen =	sizeof(struct elfhdr) + 
>> -			(*nphdr + 2)*sizeof(struct elf_phdr) + 
>> +	*elf_buflen =	sizeof(struct elfhdr) +
>> +			(*nphdr + 2)*sizeof(struct elf_phdr) +
> 
> Unrelated whitespace fixes really shouldn't be in here.  They don't
> bother me too much, but some people get upset ;)
> 

i will seperate in another patch for format correctness.

>> 			3 * ((sizeof(struct elf_note)) +
>> 			     roundup(sizeof(CORE_STR), 4)) +
>> 			roundup(sizeof(struct elf_prstatus), 4) +
>> @@ -435,6 +435,7 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
>> 	size_t elf_buflen;
>> 	int nphdr;
>> 	unsigned long start;
>> +	unsigned long page = 0;
> 
> "page" isn't a very good name - when we see that identifier we expect
> it to be a `struct page *'.  Maybe call it copy_buf or something.
> 
> (And incoming argument "buffer" was poorly named.  "buffer" implies some
> temporary intermediate thing, which is inappropriate here!)
> 
will change name.

>> 	read_lock(&kclist_lock);
>> 	size = get_kcore_size(&nphdr, &elf_buflen);
>> @@ -485,7 +486,7 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
>> 	start = kc_offset_to_vaddr(*fpos - elf_buflen);
>> 	if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
>> 		tsz = buflen;
>> -		
>> +
>> 	while (buflen) {
>> 		struct kcore_list *m;
>> 
>> @@ -515,15 +516,32 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
>> 		} else {
>> 			if (kern_addr_valid(start)) {
> 
> Do we still need the (racy) kern_addr_valid() test?  The code should
> work OK if this is removed?
> 
Yes, can remove

>> 				unsigned long n;
>> +				mm_segment_t old_fs = get_fs();
>> +
>> +				if (page == 0) {
>> +					page = __get_free_page(GFP_KERNEL);
>> +					if (page == 0)
>> +						return -ENOMEM;
>> 
>> -				n = copy_to_user(buffer, (char *)start, tsz);
>> +				}
>> +				set_fs(KERNEL_DS);
>> +				pagefault_disable();
>> +				n = __copy_from_user_inatomic((void *)page,
>> +					(__force const void __user *)start,
>> +					tsz);
>> +				pagefault_enable();
>> +				set_fs(old_fs);
> 
> We should have a code comment in here telling people what's going on. 
> A concurrent set_fixmap() on the source memory is unexpected!

Ok.
> 
>> +				if (n)
>> +					memset((void *)page + tsz - n, 0, n);
>> +
>> +				n = copy_to_user(buffer, (char *)page, tsz);
>> 				/*
>> 				 * We cannot distinguish between fault on source
>> 				 * and fault on destination. When this happens
>> 				 * we clear too and hope it will trigger the
>> 				 * EFAULT again.
>> 				 */
>> -				if (n) { 
>> +				if (n) {
>> 					if (clear_user(buffer + tsz - n,
>> 								n))
>> 						return -EFAULT;
>> @@ -540,7 +558,7 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
>> 		start += tsz;
>> 		tsz = (buflen > PAGE_SIZE ? PAGE_SIZE : buflen);
>> 	}
>> -
>> +	free_page(page);
>> 	return acc;
>> }
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ