lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e74919c7-6b32-f55c-ff88-c3abd851476f@virtuozzo.com>
Date:   Fri, 9 Feb 2018 11:53:19 +0300
From:   Kirill Tkhai <ktkhai@...tuozzo.com>
To:     Matthew Wilcox <willy@...radead.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>
Cc:     Dmitry Vyukov <dvyukov@...gle.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        Andy Lutomirski <luto@...nel.org>,
        Borislav Petkov <bp@...en8.de>,
        Juergen Gross <jgross@...e.com>,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Kees Cook <keescook@...omium.org>,
        Mathias Krause <minipli@...glemail.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        kasan-dev <kasan-dev@...glegroups.com>,
        Linux-MM <linux-mm@...ck.org>
Subject: Re: [PATCH RFC] x86: KASAN: Sanitize unauthorized irq stack access

On 08.02.2018 22:00, Matthew Wilcox wrote:
> On Thu, Feb 08, 2018 at 11:20:26AM -0600, Josh Poimboeuf wrote:
>> The patch description is confusing.  It talks about "crappy drivers irq
>> handlers when they access wrong memory on the stack".  But if I
>> understand correctly, the patch doesn't actually protect against that
>> case, because irq handlers run on the irq stack, and this patch only
>> affects code which *isn't* running on the irq stack.
> 
> This would catch a crappy driver which allocates some memory on the
> irq stack, squirrels the pointer to it away in a data structure, then
> returns to process (or softirq) context and dereferences the pointer.

Yes, this is exactly what I mean. The patch allows stack modifications
for interrupt time, and catches wrong accesses from another contexts/cpus
(when there is no interrupt executing in parallel).

It's possible to catch wrong accesses in interrupt time also, but we need
to unmap irq stacks on another cpus to do that, which is not KASAN thing.

But, I hope we may be lucky and catch such situations even if we only check
for accesses, which are going not in interrupt time.

> I have no idea if that's the case that Kirill is tracking down, but it's
> something I can imagine someone doing.

Kirill

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ