lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 12 May 2017 16:15:56 -0700
From:   Andy Lutomirski <>
To:     Al Viro <>
Cc:     Jann Horn <>, Ingo Molnar <>,
        Kees Cook <>,
        Thomas Garnier <>,
        Martin Schwidefsky <>,
        Heiko Carstens <>,
        Dave Hansen <>,
        Arnd Bergmann <>,
        Thomas Gleixner <>,
        David Howells <>,
        René Nyffenegger <>,
        Andrew Morton <>,
        "Paul E . McKenney" <>,
        "Eric W . Biederman" <>,
        Oleg Nesterov <>,
        Pavel Tikhomirov <>,
        Ingo Molnar <>,
        "H . Peter Anvin" <>,
        Andy Lutomirski <>,
        Paolo Bonzini <>,
        Rik van Riel <>,
        Josh Poimboeuf <>,
        Borislav Petkov <>,
        Brian Gerst <>,
        "Kirill A . Shutemov" <>,
        Christian Borntraeger <>,
        Russell King <>,
        Will Deacon <>,
        Catalin Marinas <>,
        Mark Rutland <>,
        James Morse <>,
        linux-s390 <>,
        LKML <>,
        Linux API <>,
        "the arch/x86 maintainers" <>,
        Kernel Hardening <>,
        Linus Torvalds <>,
        Peter Zijlstra <>
Subject: Re: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode

On Mon, May 8, 2017 at 1:48 PM, Al Viro <> wrote:
> On Mon, May 08, 2017 at 04:06:35PM +0200, Jann Horn wrote:
>> I think Kees might be talking about
>>, fixed in
>> commit e6978e4bf181fb3b5f8cb6f71b4fe30fbf1b655c. The issue was that
>> perf code that can run in pretty much any context called access_ok().
> And that commit has *NOT* solved the problem.  perf_callchain_user()
> can be called synchronously, without passing through that code.
> Tracepoint shite...
> That set_fs() should be done in get_perf_callchain(), just around the call of
> perf_callchain_user().  Along with pagefault_disable(), actually.

Even that's not quite enough because of a different issue: perf nmis
can hit during scheduling or when we're in lazy mm, leading to the
entirely wrong set of page tables being used.  We need
nmi_uaccess_begin() and nmi_uaccess_end(), and the former needs to be
allowed to fail.

AFAIK this isn't presently a security problem because it mainly
affects kernel threads, and you need to be root to profile them, but
maybe there's some race where it does matter.

Powered by blists - more mailing lists