| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2c43b55e-db82-d67f-10d5-aed84cda58e0@nokia.com>
Date: Thu, 6 Apr 2017 17:25:34 +0300
From: Tommi Rantala <tommi.t.rantala@...ia.com>
To: Kees Cook <keescook@...omium.org>
CC: Linus Torvalds <torvalds@...ux-foundation.org>,
Dave Jones <davej@...emonkey.org.uk>,
Linux-MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
Laura Abbott <labbott@...hat.com>,
Ingo Molnar <mingo@...nel.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Mark Rutland <mark.rutland@....com>,
Eric Biggers <ebiggers@...gle.com>
Subject: Re: [RFC][PATCH] mm: Tighten x86 /dev/mem with zeroing
On 06.04.2017 03:00, Kees Cook wrote:
> This changes the x86 exception for the low 1MB by reading back zeros for
> RAM areas instead of blindly allowing them. (It may be possible for heap
> to end up getting allocated in low 1MB RAM, and then read out, possibly
> tripping hardened usercopy.)
>
> Unfinished: this still needs mmap support.
>
> Reported-by: Tommi Rantala <tommi.t.rantala@...ia.com>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> Tommi, can you check and see if this fixes what you're seeing? I want to
> make sure this actually works first. (x86info uses seek/read not mmap.)
Hi, I can confirm that it works (after adding CONFIG_STRICT_DEVMEM), no
more kernel bugs when running x86info.
open("/dev/mem", O_RDONLY) = 3
lseek(3, 1038, SEEK_SET) = 1038
read(3, "\300\235", 2) = 2
lseek(3, 646144, SEEK_SET) = 646144
read(3,
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1024) = 1024
lseek(3, 1043, SEEK_SET) = 1043
read(3, "w\2", 2) = 2
lseek(3, 645120, SEEK_SET) = 645120
read(3,
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1024) = 1024
lseek(3, 654336, SEEK_SET) = 654336
read(3,
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1024) = 1024
lseek(3, 983040, SEEK_SET) = 983040
read(3,
"IFE$\245S\0\0\1\0\0\0\0\360y\0\0\360\220\260\30\237{=\23\10\17\0000\276\17\0"...,
65536) = 65536
lseek(3, 917504, SEEK_SET) = 917504
read(3,
"\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"...,
65536) = 65536
lseek(3, 524288, SEEK_SET) = 524288
read(3,
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
65536) = 65536
lseek(3, 589824, SEEK_SET) = 589824
read(3,
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
65536) = 65536
dd works too:
# LANG=C dd if=/dev/mem of=/dev/null bs=4096 count=256
256+0 records in
256+0 records out
1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0874073 s, 12.0 MB/s
> ---
>
> arch/x86/mm/init.c | 41 +++++++++++++++++++--------
> drivers/char/mem.c | 82 ++++++++++++++++++++++++++++++++++--------------------
> 2 files changed, 82 insertions(+), 41 deletions(-)
Powered by blists - more mailing lists