lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20160801.213312.1130341044241125265.davem@davemloft.net>
Date:	Mon, 01 Aug 2016 21:33:12 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	mpatocka@...hat.com
Cc:	sparclinux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] sparc: fix incorrect value returned by
 copy_from_user_fixup

From: Mikulas Patocka <mpatocka@...hat.com>
Date: Sun, 31 Jul 2016 19:50:57 -0400 (EDT)

> @@ -18,9 +25,9 @@
>   * of the cases, just fix things up simply here.
>   */
>  
> -static unsigned long compute_size(unsigned long start, unsigned long size, unsigned long *offset)
> +static unsigned long compute_size(unsigned long start, unsigned long size, unsigned long *offset, unsigned long prefetch)
>  {
> -	unsigned long fault_addr = current_thread_info()->fault_address;
> +	unsigned long fault_addr = current_thread_info()->fault_address - prefetch;
>  	unsigned long end = start + size;
>  
>  	if (fault_addr < start || fault_addr >= end) {
> @@ -36,7 +43,7 @@ unsigned long copy_from_user_fixup(void
>  {
>  	unsigned long offset;
>  
> -	size = compute_size((unsigned long) from, size, &offset);
> +	size = compute_size((unsigned long) from, size, &offset, COPY_FROM_USER_PREFETCH);
>  	if (likely(size))
>  		memset(to + offset, 0, size);
>  

I think this might cause a problem.  Assume we are not in one of those
prefetching loops and are just doing a byte at a time, and therefore
hit the fault exactly at the beginning of the missing page.

You will rewind 0x100 bytes and the caller will restart the copy at
"faulting address  - 0x100".

If someone is using atomic user copies, and using the returned length
to determine which page in userspace needs to be faulted in, and
then restart the copy, then we will loop forever.

We must, therefore, find some way to calculate this length _precisely_.
It must be exactly at the furthest byte successfully copied to the
destination.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ