| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160920203821.GQ2356@ZenIV.linux.org.uk>
Date: Tue, 20 Sep 2016 21:38:21 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Heiko Carstens <heiko.carstens@...ibm.com>,
Martin Schwidefsky <schwidefsky@...ibm.com>,
Jan Stancek <jstancek@...hat.com>,
Arnd Bergmann <arnd@...db.de>, Greg Ungerer <gerg@...inux.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] fix fault_in_multipages_...() on architectures with
no-op access_ok()
On Tue, Sep 20, 2016 at 01:24:25PM -0700, Linus Torvalds wrote:
> Quite frankly, I think it is access_ok() that should be fixed for s390.
>
> A wrapping user access is *not* ok, not even if kernel and user memory
> are separate.
>
> It is insane to make fault_in_multipages..() return EFAULT if a normal
> wrapping user access wouldn't. So the fix is not to change
> fault_in_multipage_xyz, but to make sure any op that tries to wrap
> will properly return EFAULT.
Not the point. Of course it *would* fail; the problem is that the loop
that would ping each page is never executed. What happens is
while (uaddr <= end)
touch uaddr
uaddr += PAGE_SIZE
if uaddr and end point to different pages
ping end
What happens if uaddr is greater than end, thanks to wraparound? Right,
we skip the loop entirely and all we do is one ping of the end. Which
might very well succeed, leaving us with false positive.
Powered by blists - more mailing lists