lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20171206164350.2bec38f46c1fdf84285f862c@linux-foundation.org> Date: Wed, 6 Dec 2017 16:43:50 -0800 From: Andrew Morton <akpm@...ux-foundation.org> To: Heiko Carstens <heiko.carstens@...ibm.com> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Jiri Olsa <jolsa@...nel.org>, Al Viro <viro@...IV.linux.org.uk>, linux-kernel@...r.kernel.org Subject: Re: [PATCH] fs/proc/kcore.c: use probe_kernel_read() instead of memcpy() On Sat, 2 Dec 2017 14:27:39 +0100 Heiko Carstens <heiko.carstens@...ibm.com> wrote: > git commit df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext > data") added a bounce buffer to avoid hardened usercopy > checks. Copying to the bounce buffer was implemented with a simple > memcpy() assuming that it is always valid to read from kernel memory > iff the kern_addr_valid() check passed. > > A simple, but pointless, test case like "dd if=/proc/kcore > of=/dev/null" now can easily crash the kernel, since the former > execption handling on invalid kernel addresses now doesn't work > anymore. > > Also adding a kern_addr_valid() implementation wouldn't help > here. Most architectures simply return 1 here, while a couple > implemented a page table walk to figure out if something is mapped at > the address in question. > With DEBUG_PAGEALLOC active mappings are established and removed all > the time, so that relying on the result of kern_addr_valid() before > executing the memcpy() also doesn't work. > > Therefore simply use probe_kernel_read() to copy to the bounce > buffer. This also allows to simplify read_kcore(). > > At least on s390 this fixes the observed crashes and doesn't introduce > warnings that were removed with df04abfd181a ("fs/proc/kcore.c: Add > bounce buffer for ktext data"), even though the generic > probe_kernel_read() implementation uses uaccess functions. > > While looking into this I'm also wondering if kern_addr_valid() could > be completely removed...(?) > > Fixes: df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data") > Fixes: f5509cc18daa ("mm: Hardened usercopy") It's a privileged operation, but oopsing root's kernel is still a bit rude. So I'll add cc:stable. And let it bake until 4.16-rc1, since the bug has been there for a year or more. Sound OK?
Powered by blists - more mailing lists