lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171212182537.jfyoch3t2pe2sds4@hirez.programming.kicks-ass.net>
Date:   Tue, 12 Dec 2017 19:25:37 +0100
From:   Peter Zijlstra <peterz@...radead.org>
To:     Andy Lutomirski <luto@...nel.org>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        LKML <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Dave Hansen <dave.hansen@...el.com>,
        Borislav Petkov <bpetkov@...e.de>,
        Greg KH <gregkh@...uxfoundation.org>,
        Kees Cook <keescook@...gle.com>,
        Hugh Dickins <hughd@...gle.com>,
        Brian Gerst <brgerst@...il.com>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Denys Vlasenko <dvlasenk@...hat.com>,
        Boris Ostrovsky <boris.ostrovsky@...cle.com>,
        Juergen Gross <jgross@...e.com>,
        David Laight <David.Laight@...lab.com>,
        Eduardo Valentin <eduval@...zon.com>, aliguori@...zon.com,
        Will Deacon <will.deacon@....com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>
Subject: Re: [patch 05/16] mm: Allow special mappings with user access cleared

On Tue, Dec 12, 2017 at 10:06:51AM -0800, Andy Lutomirski wrote:
> On Tue, Dec 12, 2017 at 10:05 AM, Peter Zijlstra <peterz@...radead.org> wrote:

> > gup would find the page. These patches do in fact rely on that through
> > the populate things.
> >
> 
> Blech.  So you can write(2) from the LDT to a file and you can even
> sendfile it, perhaps. 

Hmm, indeed.. I suppose I could go fix that. But how bad is it to leak
the LDT contents?

What would be far worse of course is if we could read(2) data into the
ldt, I'll look into that.

> What happens if it's get_user_page()'d when
> modify_ldt() wants to free it?

modify_ldt should never free pages, we only ever free pages when we
destroy the mm.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ