lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5706833F.3000803@redhat.com>
Date:	Thu, 7 Apr 2016 09:56:47 -0600
From:	Al Stone <astone@...hat.com>
To:	Geert Uytterhoeven <geert@...ux-m68k.org>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Arnd Bergmann <arnd@...db.de>
Subject: Re: [PATCH] arm64: CONFIG_DEVPORT should not be used when PCI is
 being used

On 04/07/2016 01:26 AM, Geert Uytterhoeven wrote:
> On Thu, Apr 7, 2016 at 2:18 AM, Greg Kroah-Hartman
> <gregkh@...uxfoundation.org> wrote:
>> On Wed, Apr 06, 2016 at 03:27:20PM -0600, Al Stone wrote:
>>> On arm64 systems, using /dev/port does not really make sense; this is
>>> historically used for other architectures to access ISA IO ports, which
>>> with any luck do not exist on arm64 platforms.  With the following snippet
>>> of perl code (from Jeff Bastian <jbastian@...hat.com>), we can reliably
>>> panic an arm64 system with PCI enabled:
>>>
>>>       #!/usr/bin/perl -w
>>>       # extracted from sensors-detect from lm_sensors
>>>       # to reproduce kernel crash when probing the
>>>       # Super-I/O ports
>>>       use Fcntl qw(:DEFAULT :seek);
>>>       sysopen(IOPORTS, "/dev/port", O_RDWR);
>>>       binmode(IOPORTS);
>>>       sysseek(IOPORTS, 0x2e, 0);
>>>       syswrite(IOPORTS, pack("C", 0x0d), 1);
> 
> There are plenty of ways to crash a system as the root user...

Of course.  This was just a new one.

>>> So, make sure CONFIG_DEVPORT cannot be set on arm64; it cannot really be
>>> used and it allows us to crash a kernel from user space.
>>>
>>> Signed-off-by: Al Stone <ahs3@...hat.com>
>>> Cc: Arnd Bergmann <arnd@...db.de>
>>> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>>> ---
>>>  drivers/char/Kconfig | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
>>> index b272397..c532f62 100644
>>> --- a/drivers/char/Kconfig
>>> +++ b/drivers/char/Kconfig
>>> @@ -587,7 +587,7 @@ config TELCLOCK
>>>
>>>  config DEVPORT
>>>       bool
>>> -     depends on !M68K
>>> +     depends on !M68K && !ARM64
>>
>> Why not fix the real bug here, it's odd that only these two arches need
>> this disabled, don't you agree?

Agreed.  It does seem odd.  I'm not sure I understand which bug you're thinking
is the real one, though -- that DEVPORT should be disabled in all places that
don't have ISA or that arm64 needs to have /dev/port work properly?  Or perhaps
I missed something else entirely...

> In fact even the !M68K dependency is odd.
> The logic seems to originate from commit 153dcc54df826d2f ("[PATCH] mem driver:
> fix conditional on isa i/o support"), which accidentally changed an "||" into
> an "&&".
> 
> Will send a patch later...
> 
> Gr{oetje,eeting}s,
> 
>                         Geert

Aha.  I missed that bit.  Sorry about that.  So something like this instead:

config DEVPORT
	bool
	depends on ISA && PCI
	default y

That makes more sense.  Thanks.	

-- 
ciao,
al
-----------------------------------
Al Stone
Software Engineer
Red Hat, Inc.
ahs3@...hat.com
-----------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ