| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Sep 2016 22:37:42 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Heiko Carstens <heiko.carstens@...ibm.com>,
Martin Schwidefsky <schwidefsky@...ibm.com>,
Jan Stancek <jstancek@...hat.com>,
Arnd Bergmann <arnd@...db.de>, Greg Ungerer <gerg@...inux.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] fix fault_in_multipages_...() on architectures with
no-op access_ok()
On Tue, Sep 20, 2016 at 10:03:26PM +0100, Al Viro wrote:
> The testcase here is uaddr = (void *)-1, len = (unsigned long)valid_addr + 2.
> If it tried to do __put_user(uaddr, 0) it would immediately fail, just as
> __copy_to_user(uaddr, len); the problem is, that call will only do
> __put_user(valid_addr, 0) and succeed.
>
> Again, if get_user/put_user/copy_{to,from}_user() anywhere near ERR_PTR(...)
> would succeed, we'd get trouble without any wraparounds. That page should
> be absent, and it really is. In all cases, s390 included. Wraparound is
> irrelevant here. The reason why it got spotted was persistent failure of
> copy_{to,from}_user after successful fault-ins.
PS: s390 is far from the only such architecture - at least m68k, parisc
and sparc64 are the same way.
Sure, we can make all of them check for wraparounds, but what's the point,
when actual attempts to copy to/from such range will fail anyway and
for absolute majority of the calls the check will do nothing. What's the
point?
Note that we need to compare uaddr and end in these loops anyway, so we
are not going to save anything there...
Powered by blists - more mailing lists