lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 7 Dec 2017 09:41:53 +0100
From:   Heiko Carstens <heiko.carstens@...ibm.com>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Kees Cook <keescook@...omium.org>,
        Jiri Olsa <jolsa@...nel.org>,
        Al Viro <viro@...IV.linux.org.uk>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fs/proc/kcore.c: use probe_kernel_read() instead of
 memcpy()

On Wed, Dec 06, 2017 at 04:43:50PM -0800, Andrew Morton wrote:
> On Sat,  2 Dec 2017 14:27:39 +0100 Heiko Carstens <heiko.carstens@...ibm.com> wrote:
> 
> > git commit df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext
> > data") added a bounce buffer to avoid hardened usercopy
> > checks. Copying to the bounce buffer was implemented with a simple
> > memcpy() assuming that it is always valid to read from kernel memory
> > iff the kern_addr_valid() check passed.
> > 
> > A simple, but pointless, test case like "dd if=/proc/kcore
> > of=/dev/null" now can easily crash the kernel, since the former
> > execption handling on invalid kernel addresses now doesn't work
> > anymore.
> > 
> > Also adding a kern_addr_valid() implementation wouldn't help
> > here. Most architectures simply return 1 here, while a couple
> > implemented a page table walk to figure out if something is mapped at
> > the address in question.
> > With DEBUG_PAGEALLOC active mappings are established and removed all
> > the time, so that relying on the result of kern_addr_valid() before
> > executing the memcpy() also doesn't work.
> > 
> > Therefore simply use probe_kernel_read() to copy to the bounce
> > buffer. This also allows to simplify read_kcore().
> > 
> > At least on s390 this fixes the observed crashes and doesn't introduce
> > warnings that were removed with df04abfd181a ("fs/proc/kcore.c: Add
> > bounce buffer for ktext data"), even though the generic
> > probe_kernel_read() implementation uses uaccess functions.
> > 
> > While looking into this I'm also wondering if kern_addr_valid() could
> > be completely removed...(?)
> > 
> > Fixes: df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data")
> > Fixes: f5509cc18daa ("mm: Hardened usercopy")
> 
> It's a privileged operation, but oopsing root's kernel is still a bit
> rude.  So I'll add cc:stable.  And let it bake until 4.16-rc1, since
> the bug has been there for a year or more.  Sound OK?

Yes, that sounds ok to me. Thank you!

Powered by blists - more mailing lists