lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 12 May 2017 23:57:55 +0100
From:   Al Viro <>
To:     Rik van Riel <>
Cc:     Kees Cook <>,
        Russell King - ARM Linux <>,
        Linus Torvalds <>,
        Mark Rutland <>,
        Kernel Hardening <>,
        Greg KH <>,
        Heiko Carstens <>,
        LKML <>,
        David Howells <>,
        Dave Hansen <>,
        "H . Peter Anvin" <>, Ingo Molnar <>,
        Pavel Tikhomirov <>,
        linux-s390 <>,
        the arch/x86 maintainers <>,
        Will Deacon <>,
        Christian Borntraeger <>,
        René Nyffenegger <>,
        Catalin Marinas <>,
        "Paul E . McKenney" <>,
        Peter Zijlstra <>,
        Arnd Bergmann <>, Brian Gerst <>,
        Borislav Petkov <>,
        Andy Lutomirski <>,
        Josh Poimboeuf <>,
        Thomas Gleixner <>,
        Ingo Molnar <>,
        Linux API <>,
        Oleg Nesterov <>,
        Daniel Micay <>,
        James Morse <>,
        "Eric W . Biederman" <>,
        Martin Schwidefsky <>,
        Paolo Bonzini <>,
        Andrew Morton <>,
        Thomas Garnier <>,
        "Kirill A . Shutemov" <>
Subject: Re: [kernel-hardening] Re: [PATCH v9 1/4] syscalls: Verify address
 limit before returning to user-mode

On Fri, May 12, 2017 at 05:47:55PM -0400, Rik van Riel wrote:

> > Seriously, look at these beasts.  Overwriting ->addr_limit is nowhere
> > near
> > the top threat.  If attacker can overwrite thread_info, you have
> > lost.
> That is why THREAD_INFO_IN_TASK exists. It moves
> the struct thread_info to a location away from the
> stack, which means a stack overflow will not overwrite
> the thread_info.

... in which case such attacks on ->addr_limit also become a non-issue.

AFAICS, we are mixing several unrelated issues here:
	* amount of places where set_fs() is called.  Sure, reducing it
is a good idea and we want to move to primitives like kernel_write()
Fewer users => lower odds of screwing it up.
	* making sure that remaining callers are properly paired.  Ditto.
	* switching to ->read_iter()/->write_iter() where it makes sense.
Again, no problem with that.
	* providing sane environment for places like perf/oprofile.  Again,
a good idea, and set_fs(USER_DS) is only a part of what's needed there.
	* switching _everything_ to ->read_iter()/->write_iter().  Flat-out
insane and AFAICS nobody is signing up for that.
	* getting rid of set_fs() entirely.  I'm afraid that it's not feasible
without the previous one and frankly, I don't see much point.
	* sanity-checking on return to userland.  Maybe useful, maybe not.
	* taking thread_info out of the way of stack overflows.  Reasonable,
but has very little to do with the rest of that.
	* protecting against Lovecraftian horrors slithering in from the outer
space only to commit unspeakable acts against ->addr_limit and ignoring much
tastier targets next to it, but then what do you expect from degenerate
spawn of Great Old Ones - sanity?

Powered by blists - more mailing lists