lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 28 Oct 2016 03:02:10 +0100
From:   Al Viro <viro@...IV.linux.org.uk>
To:     Joe Korty <joe.korty@...current.com>
Cc:     linux-kernel@...r.kernel.org,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Sasha Levin <alexander.levin@...izon.com>
Subject: [4.1 backport trouble] Re: BUGreport: fix minor infoleak in
 get_user_ex()

On Fri, Oct 28, 2016 at 01:03:55AM +0100, Al Viro wrote:

> On Thu, Oct 27, 2016 at 03:32:10PM -0400, Joe Korty wrote:
[oops in 4.1.35, bisected to 319fe1151940]
> > The following test program can be used to trigger the problem:
> > 
> > /* gcc -m32 c.c -o c */
> > #define _GNU_SOURCE
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <unistd.h>
> > #include <errno.h>
> > #include <sys/syscall.h>
> > 
> > #define rt_sigqueueinfo 178
> > 
> > int main(int argc, char **argv) {
> >      int stat = syscall(rt_sigqueueinfo, 0, 0, 0, 0, 0, 0);
> >      printf("syscall(%d): stat: %d, errno: %d\n",
> >            rt_sigqueueinfo, stat, errno);
> >      return 0;
> > }
> > 
> > This is under 4.1.35 on x86_64.
>
> AFAICS, it steps on _ASM_EXTABLE_EX being more brittle in 4.1 - it pretty
> much has to have the handler on the next insn after the faulting one, or
> the resulting extable entry won't be recognized.  This
> "x86/mm: Expand the exception table logic to allow new handling options"
> in mainline is where that requirement has disappeared.  I think we
> ought to use the plain _ASM_EXTABLE and just call something that would
> set current_thread_info()->uaccess_err directly from the fixup code there.
> That, or backport the commit switching to less brittle extables.

... and frankly, backporting 548acf19234d would be my preference.  It's a bit
more intrusive than needed (_ASM_EXTABLE_FAULT is used only in memcpy_mcsafe(),
which is used only by pmem and it's the only reason for passing the trap
number to fixup_exception()), but AFAICS it's fairly safe.  Objections?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ