lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 30 Mar 2017 10:27:47 -0700
From:   Laura Abbott <labbott@...hat.com>
To:     Kees Cook <keescook@...omium.org>,
        Tommi Rantala <tommi.t.rantala@...ia.com>
Cc:     Linux-MM <linux-mm@...ck.org>, LKML <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...nel.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Mark Rutland <mark.rutland@....com>,
        Eric Biggers <ebiggers@...gle.com>,
        Dave Jones <davej@...emonkey.org.uk>
Subject: Re: sudo x86info -a => kernel BUG at mm/usercopy.c:78!

On 03/30/2017 09:45 AM, Kees Cook wrote:
> On Wed, Mar 29, 2017 at 11:44 PM, Tommi Rantala
> <tommi.t.rantala@...ia.com> wrote:
>> Hi,
>>
>> Running:
>>
>>   $ sudo x86info -a
>>
>> On this HP ZBook 15 G3 laptop kills the x86info process with segfault and
>> produces the following kernel BUG.
>>
>>   $ git describe
>>   v4.11-rc4-40-gfe82203
>>
>> It is also reproducible with the fedora kernel: 4.9.14-200.fc25.x86_64
>>
>> Full dmesg output here: https://pastebin.com/raw/Kur2mpZq
>>
>> [   51.418954] usercopy: kernel memory exposure attempt detected from
>> ffff880000090000 (dma-kmalloc-256) (4096 bytes)
> 
> This seems like a real exposure: the copy is attempting to read 4096
> bytes from a 256 byte object.
> 
>> [...]
>> [   51.419063] Call Trace:
>> [   51.419066]  read_mem+0x70/0x120
>> [   51.419069]  __vfs_read+0x28/0x130
>> [   51.419072]  ? security_file_permission+0x9b/0xb0
>> [   51.419075]  ? rw_verify_area+0x4e/0xb0
>> [   51.419077]  vfs_read+0x96/0x130
>> [   51.419079]  SyS_read+0x46/0xb0
>> [   51.419082]  ? SyS_lseek+0x87/0xb0
>> [   51.419085]  entry_SYSCALL_64_fastpath+0x1a/0xa9
> 
> I can't reproduce this myself, so I assume it's some specific /proc or
> /sys file that I don't have. Are you able to get a strace of x86info
> as it runs to see which file it is attempting to read here?
> 
> Thanks!
> 
> -Kees
> 

I can't see this on any of my Fedora systems. It looks like this
is trying to read /dev/mem so I suspect your BIOS is putting out
unexpected values. If you turn off hardened usercopy does x86info
give you reasonable values? I'd also echo getting an strace.

Thanks,
Laura

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ